From 9df49916dddc90acad8b6bb125109ef77bf8c694bb5e5cf6e1eb8240ec6df75d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 13 Jan 2025 22:12:06 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main openssl-3 revision a18901cdc4703a7f28b1abac74a6d884 --- ...S-Deny-SHA-1-sigver-in-FIPS-provider.patch | 100 +- ...lement-explicit-indicator-for-IV-gen.patch | 54 +- openssl-3-FIPS-PCT_rsa_keygen.patch | 28 - openssl-3-add-defines-CPACF-funcs.patch | 82 + openssl-3-add-hw-acceleration-hmac.patch | 506 ++++ ...l-3-add-xof-state-handling-s3_absorb.patch | 32 + openssl-3-add_EVP_DigestSqueeze_api.patch | 1781 ++++++++++++++ ...c-hw-acceleration-with-engine-digest.patch | 90 + ...sl-3-fix-hmac-digest-detection-s390x.patch | 49 + ...sl-3-fix-memleak-s390x_HMAC_CTX_copy.patch | 28 + openssl-3-fix-quic_multistream_test.patch | 25 + openssl-3-fix-s390x_sha3_absorb.patch | 50 + openssl-3-fix-s390x_shake_squeeze.patch | 98 + openssl-3-fix-sha3-squeeze-ppc64.patch | 31 + ...ix-state-handling-keccak_final_s390x.patch | 32 + ...fix-state-handling-sha3_absorb_s390x.patch | 32 + ...-fix-state-handling-sha3_final_s390x.patch | 32 + ...fix-state-handling-shake_final_s390x.patch | 32 + openssl-3-hw-acceleration-aes-xts-s390x.patch | 327 +++ openssl-3-jitterentropy-3.4.0.patch | 124 +- ...rt-CPACF-sha3-shake-perf-improvement.patch | 196 ++ ...P_DigestSqueeze-in-digest-prov-s390x.patch | 160 ++ ...-support-multiple-sha3_squeeze_s390x.patch | 46 + openssl-3-use-include-directive.patch | 35 - openssl-3.1.4.tar.gz | 3 - openssl-3.1.4.tar.gz.asc | 16 - openssl-3.2.3.tar.gz | 3 + openssl-3.2.3.tar.gz.asc | 16 + openssl-3.changes | 496 +++- openssl-3.spec | 261 +- ...Add-FIPS-indicator-parameter-to-HKDF.patch | 224 +- ...sl-Add-Kernel-FIPS-mode-flag-support.patch | 54 +- ...sl-Add-changes-to-ectest-and-eccurve.patch | 3 +- ...PROFILE-SYSTEM-system-default-cipher.patch | 140 +- ...ort_for_Windows_CA_certificate_store.patch | 743 ------ ...clevel-2-if-rh-allow-sha1-signatures.patch | 217 -- ...l-Allow-disabling-of-SHA1-signatures.patch | 150 +- openssl-CVE-2023-5678.patch | 174 -- openssl-CVE-2023-6129.patch | 109 - openssl-CVE-2023-6237.patch | 122 - openssl-CVE-2024-0727.patch | 118 - openssl-CVE-2024-2511.patch | 116 - openssl-CVE-2024-41996.patch | 41 - openssl-CVE-2024-4603.patch | 199 -- openssl-CVE-2024-4741.patch | 28 - openssl-CVE-2024-5535.patch | 326 --- openssl-CVE-2024-6119.patch | 255 -- openssl-DEFAULT_SUSE_cipher.patch | 64 - ...able-default-provider-for-test-suite.patch | 19 - ...nable-BTI-feature-for-md5-on-aarch64.patch | 28 - openssl-FIPS-140-3-DRBG.patch | 113 +- openssl-FIPS-140-3-keychecks.patch | 76 +- openssl-FIPS-140-3-zeroization.patch | 128 +- ...dd-explicit-indicator-for-key-length.patch | 52 +- openssl-FIPS-RSA-disable-shake.patch | 29 +- ...-Remove-X9.31-padding-from-FIPS-prov.patch | 56 +- ...OAEP-in-KATs-support-fixed-OAEP-seed.patch | 72 +- ...gest_sign-digest_verify-in-self-test.patch | 141 +- openssl-FIPS-early-KATS.patch | 30 +- openssl-FIPS-embed-hmac.patch | 290 ++- openssl-FIPS-enforce-EMS-support.patch | 133 +- openssl-FIPS-limit-rsa-encrypt.patch | 517 +++- ...l-FIPS-release_num_in_version_string.patch | 27 - openssl-FIPS-services-minimize.patch | 326 +-- ...re-Add-indicator-for-PSS-salt-length.patch | 74 +- ...EVP_PKEY_CTX_add1_hkdf_info-behavior.patch | 309 --- openssl-Force-FIPS.patch | 19 +- ...param-in-EVP_PKEY_CTX_add1_hkdf_info.patch | 94 - ...nce-for-6x-unrolling-with-vpermxor-i.patch | 495 ---- openssl-Remove-EC-curves.patch | 65 +- ...ble-default-provider-crypto-policies.patch | 43 + openssl-crypto-policies-support.patch | 35 - ...-Limb-Solinas-Strategy-for-secp384r1.patch | 2159 ----------------- ...nkage-on-nistp521-felem_-square-mul-.patch | 65 - ...dd-asm-implementation-of-felem_-squa.patch | 428 ---- ...-extraneous-parentheses-in-secp384r1.patch | 76 - openssl-load-legacy-provider.patch | 20 +- openssl-no-html-docs.patch | 16 +- ...t-minimum-password-length-of-8-bytes.patch | 17 +- openssl-pkgconfig.patch | 10 +- ...c-Fix-stack-allocation-secp384r1-asm.patch | 96 - openssl-ppc64-config.patch | 8 +- openssl-skip-quic-pairwise.patch | 85 + openssl-skipped-tests-EC-curves.patch | 35 +- openssl-truststore.patch | 8 +- openssl.keyring | 330 +-- reproducible.patch | 929 ------- 87 files changed, 6190 insertions(+), 9111 deletions(-) delete mode 100644 openssl-3-FIPS-PCT_rsa_keygen.patch create mode 100644 openssl-3-add-defines-CPACF-funcs.patch create mode 100644 openssl-3-add-hw-acceleration-hmac.patch create mode 100644 openssl-3-add-xof-state-handling-s3_absorb.patch create mode 100644 openssl-3-add_EVP_DigestSqueeze_api.patch create mode 100644 openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch create mode 100644 openssl-3-fix-hmac-digest-detection-s390x.patch create mode 100644 openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch create mode 100644 openssl-3-fix-quic_multistream_test.patch create mode 100644 openssl-3-fix-s390x_sha3_absorb.patch create mode 100644 openssl-3-fix-s390x_shake_squeeze.patch create mode 100644 openssl-3-fix-sha3-squeeze-ppc64.patch create mode 100644 openssl-3-fix-state-handling-keccak_final_s390x.patch create mode 100644 openssl-3-fix-state-handling-sha3_absorb_s390x.patch create mode 100644 openssl-3-fix-state-handling-sha3_final_s390x.patch create mode 100644 openssl-3-fix-state-handling-shake_final_s390x.patch create mode 100644 openssl-3-hw-acceleration-aes-xts-s390x.patch create mode 100644 openssl-3-support-CPACF-sha3-shake-perf-improvement.patch create mode 100644 openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch create mode 100644 openssl-3-support-multiple-sha3_squeeze_s390x.patch delete mode 100644 openssl-3-use-include-directive.patch delete mode 100644 openssl-3.1.4.tar.gz delete mode 100644 openssl-3.1.4.tar.gz.asc create mode 100644 openssl-3.2.3.tar.gz create mode 100644 openssl-3.2.3.tar.gz.asc delete mode 100644 openssl-Add_support_for_Windows_CA_certificate_store.patch delete mode 100644 openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch delete mode 100644 openssl-CVE-2023-5678.patch delete mode 100644 openssl-CVE-2023-6129.patch delete mode 100644 openssl-CVE-2023-6237.patch delete mode 100644 openssl-CVE-2024-0727.patch delete mode 100644 openssl-CVE-2024-2511.patch delete mode 100644 openssl-CVE-2024-41996.patch delete mode 100644 openssl-CVE-2024-4603.patch delete mode 100644 openssl-CVE-2024-4741.patch delete mode 100644 openssl-CVE-2024-5535.patch delete mode 100644 openssl-CVE-2024-6119.patch delete mode 100644 openssl-DEFAULT_SUSE_cipher.patch delete mode 100644 openssl-Disable-default-provider-for-test-suite.patch delete mode 100644 openssl-Enable-BTI-feature-for-md5-on-aarch64.patch delete mode 100644 openssl-FIPS-release_num_in_version_string.patch delete mode 100644 openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch delete mode 100644 openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch delete mode 100644 openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch create mode 100644 openssl-TESTS-Disable-default-provider-crypto-policies.patch delete mode 100644 openssl-crypto-policies-support.patch delete mode 100644 openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch delete mode 100644 openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch delete mode 100644 openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch delete mode 100644 openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch delete mode 100644 openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch create mode 100644 openssl-skip-quic-pairwise.patch delete mode 100644 reproducible.patch diff --git a/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch b/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch index b4699db..4b141ca 100644 --- a/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch +++ b/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch @@ -49,11 +49,11 @@ Signed-off-by: Clemens Lang test/smime-certs/smrsa3.pem | 38 ++++++------ 19 files changed, 286 insertions(+), 256 deletions(-) -Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c -@@ -127,11 +127,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct +--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c +@@ -129,11 +129,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int md_nid; size_t mdname_len = strlen(mdname); @@ -65,11 +65,11 @@ Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, sha1_allowed); -Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c -@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX +--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c +@@ -247,11 +247,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX "%s could not be fetched", mdname); return 0; } @@ -81,11 +81,11 @@ Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, sha1_allowed); if (md_nid < 0) { -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -306,11 +306,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -321,11 +321,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); int md_nid; size_t mdname_len = strlen(mdname); @@ -97,7 +97,7 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, sha1_allowed); -@@ -1414,8 +1410,10 @@ static int rsa_set_ctx_params(void *vprs +@@ -1416,8 +1412,10 @@ static int rsa_set_ctx_params(void *vprs if (prsactx->md == NULL && pmdname == NULL && pad_mode == RSA_PKCS1_PSS_PADDING) { @@ -109,10 +109,10 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; } -Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt =================================================================== ---- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt -+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt @@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC Title = ECDSA tests @@ -167,10 +167,10 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_ecdsa.txt Verify = P-256-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" -Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt =================================================================== ---- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -96,6 +96,7 @@ NDL6WCBbets= Title = RSA tests @@ -282,27 +282,27 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify = RSA-2048-PUBLIC Ctrl = digest:SHA1 Input = "0123456789ABCDEF1234" -@@ -371,6 +386,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" +@@ -858,6 +873,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A # Verify using salt length auto detect -+# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256 ++# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256 +Availablein = default Verify = RSA-2048-PUBLIC Ctrl = rsa_padding_mode:pss Ctrl = rsa_pss_saltlen:auto -@@ -405,6 +422,10 @@ Output=4DE433D5844043EF08D354DA03CB29068 +@@ -892,6 +909,10 @@ Output=4DE433D5844043EF08D354DA03CB29068 Result = VERIFY_ERROR # Verify using default parameters, explicitly setting parameters +# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which -+# RHEL-9 does not support in FIPS mode; all these tests are thus marked ++# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked +# Availablein = default. +Availablein = default Verify = RSA-PSS-DEFAULT Ctrl = rsa_padding_mode:pss Ctrl = rsa_pss_saltlen:20 -@@ -413,6 +434,7 @@ Input="0123456789ABCDEF0123" +@@ -900,6 +921,7 @@ Input="0123456789ABCDEF0123" Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF # Verify explicitly setting parameters "digest" salt length @@ -310,7 +310,7 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify = RSA-PSS-DEFAULT Ctrl = rsa_padding_mode:pss Ctrl = rsa_pss_saltlen:digest -@@ -421,18 +443,21 @@ Input="0123456789ABCDEF0123" +@@ -908,18 +930,21 @@ Input="0123456789ABCDEF0123" Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF # Verify using salt length larger than minimum @@ -332,7 +332,7 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify = RSA-PSS-DEFAULT Ctrl = rsa_pss_saltlen:0 Result = PKEY_CTRL_ERROR -@@ -440,21 +465,25 @@ Result = PKEY_CTRL_ERROR +@@ -927,21 +952,25 @@ Result = PKEY_CTRL_ERROR # Attempt to change padding mode # Note this used to return PKEY_CTRL_INVALID # but it is limited because setparams only returns 0 or 1. @@ -358,7 +358,7 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify = RSA-PSS-BAD2 Result = KEYOP_INIT_ERROR Reason = invalid salt length -@@ -473,36 +502,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF +@@ -960,36 +989,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF 4fINDOjP+yJJvZohNwIDAQAB -----END PUBLIC KEY----- @@ -401,7 +401,7 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify=RSA-PSS-1 Ctrl = rsa_padding_mode:pss Ctrl = rsa_mgf1_md:sha1 -@@ -518,36 +553,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E +@@ -1005,36 +1040,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== -----END PUBLIC KEY----- @@ -444,7 +444,7 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify=RSA-PSS-9 Ctrl = rsa_padding_mode:pss Ctrl = rsa_mgf1_md:sha1 -@@ -565,36 +606,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5 +@@ -1052,36 +1093,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5 BQIDAQAB -----END PUBLIC KEY----- @@ -487,12 +487,12 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt Verify=RSA-PSS-10 Ctrl = rsa_padding_mode:pss Ctrl = rsa_mgf1_md:sha1 -@@ -1384,11 +1431,13 @@ Title = RSA FIPS tests +@@ -1817,11 +1864,13 @@ Title = RSA FIPS tests # FIPS tests -# Verifying with SHA1 is permitted in fips mode for older applications -+# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode ++# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode +Availablein = fips DigestVerify = SHA1 Key = RSA-2048 @@ -502,10 +502,10 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evppkey_rsa_common.txt # Verifying with a 1024 bit key is permitted in fips mode for older applications DigestVerify = SHA256 -Index: openssl-3.1.4/test/recipes/80-test_cms.t +Index: openssl-3.2.3/test/recipes/80-test_cms.t =================================================================== ---- openssl-3.1.4.orig/test/recipes/80-test_cms.t -+++ openssl-3.1.4/test/recipes/80-test_cms.t +--- openssl-3.2.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.3/test/recipes/80-test_cms.t @@ -163,7 +163,7 @@ my @smime_pkcs7_tests = ( [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", "-certfile", $smroot, @@ -524,11 +524,11 @@ Index: openssl-3.1.4/test/recipes/80-test_cms.t "-CAfile", $smroot, "-out", "{output}.txt" ], \&zero_compare ], -Index: openssl-3.1.4/test/recipes/80-test_ssl_old.t +Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t =================================================================== ---- openssl-3.1.4.orig/test/recipes/80-test_ssl_old.t -+++ openssl-3.1.4/test/recipes/80-test_ssl_old.t -@@ -397,6 +397,9 @@ sub testssl { +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t +@@ -394,6 +394,9 @@ sub testssl { 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); } @@ -538,7 +538,7 @@ Index: openssl-3.1.4/test/recipes/80-test_ssl_old.t ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), 'test sslv2/sslv3 with server authentication'); ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), -@@ -405,6 +408,7 @@ sub testssl { +@@ -402,6 +405,7 @@ sub testssl { 'test sslv2/sslv3 with both client and server authentication via BIO pair'); ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); @@ -546,3 +546,25 @@ Index: openssl-3.1.4/test/recipes/80-test_ssl_old.t SKIP: { skip "No IPv4 available on this machine", 4 +Index: openssl-3.2.3/test/acvp_test.inc +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.inc ++++ openssl-3.2.3/test/acvp_test.inc +@@ -1844,17 +1844,6 @@ static const struct rsa_sigver_st rsa_si + { + "x931", + 3072, +- "SHA1", +- ITM(rsa_sigverx931_0_msg), +- ITM(rsa_sigverx931_0_n), +- ITM(rsa_sigverx931_0_e), +- ITM(rsa_sigverx931_0_sig), +- NO_PSS_SALT_LEN, +- PASS +- }, +- { +- "x931", +- 3072, + "SHA256", + ITM(rsa_sigverx931_1_msg), + ITM(rsa_sigverx931_1_n), diff --git a/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch b/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch index f9f2f29..32a7105 100644 --- a/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch +++ b/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch @@ -18,23 +18,11 @@ Signed-off-by: Clemens Lang .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ 4 files changed, 34 insertions(+) -Index: openssl-3.1.4/include/openssl/core_names.h +Index: openssl-3.2.3/include/openssl/evp.h =================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -99,6 +99,7 @@ extern "C" { - #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ - /* For passing the AlgorithmIdentifier parameter in DER form */ - #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ -+#define OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* int */ - - #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ - "tls1multi_maxsndfrag" /* uint */ -Index: openssl-3.1.4/include/openssl/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/evp.h -+++ openssl-3.1.4/include/openssl/evp.h -@@ -750,6 +750,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -753,6 +753,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); @@ -44,12 +32,12 @@ Index: openssl-3.1.4/include/openssl/evp.h + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); - /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, -Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c + __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon.c -+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c -@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_know +--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon.c ++++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c +@@ -152,6 +152,10 @@ static const OSSL_PARAM cipher_aead_know OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), @@ -60,13 +48,13 @@ Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon.c OSSL_PARAM_END }; const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( -Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c +Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/ciphers/ciphercommon_gcm.c -+++ openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c -@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, - || !getivgen(ctx, p->data, p->data_size)) - return 0; +--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon_gcm.c ++++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c +@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, + break; + } } + + /* We would usually hide this under #ifdef FIPS_MODULE, but @@ -96,3 +84,15 @@ Index: openssl-3.1.4/providers/implementations/ciphers/ciphercommon_gcm.c return 1; } +Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +=================================================================== +--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm ++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +@@ -102,6 +102,7 @@ my %params = ( + 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string + # For passing the AlgorithmIdentifier parameter in DER form + 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string ++ 'CIPHER_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",# int + 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string + + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint diff --git a/openssl-3-FIPS-PCT_rsa_keygen.patch b/openssl-3-FIPS-PCT_rsa_keygen.patch deleted file mode 100644 index 55dbe54..0000000 --- a/openssl-3-FIPS-PCT_rsa_keygen.patch +++ /dev/null @@ -1,28 +0,0 @@ -Index: openssl-3.1.4/crypto/rsa/rsa_gen.c -=================================================================== ---- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c -+++ openssl-3.1.4/crypto/rsa/rsa_gen.c -@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc - - #ifdef FIPS_MODULE - ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); -- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */ -+ /* FIPS MODE needs to always run the pairwise test. But, the -+ * rsa_keygen_pairwise_test() PCT as self-test requirements will be -+ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and -+ * this PCT can be skipped here. See bsc#1221760 for more info. -+ */ -+ pairwise_test = 0; - #else - /* - * Only multi-prime keys or insecure keys with a small key length or a -@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc - rsa->dmp1 = NULL; - rsa->dmq1 = NULL; - rsa->iqmp = NULL; -+#ifdef FIPS_MODULE -+ abort(); -+#endif /* FIPS_MODULE */ - } - } - return ok; diff --git a/openssl-3-add-defines-CPACF-funcs.patch b/openssl-3-add-defines-CPACF-funcs.patch new file mode 100644 index 0000000..22776fc --- /dev/null +++ b/openssl-3-add-defines-CPACF-funcs.patch @@ -0,0 +1,82 @@ +commit 518b53b139d7b4ac082ccedd401d2ee08fc66985 +Author: Ingo Franzki +Date: Wed Jan 31 16:26:52 2024 +0100 + + s390x: Add defines for new CPACF functions + + Add defines for new CPACF functions codes, its required MSA levels, and + document how to disable these functions via the OPENSSL_s390xcap environment + variable. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25161) + +diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h +index fdc682af06..88ed866b0d 100644 +--- a/crypto/s390x_arch.h ++++ b/crypto/s390x_arch.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -115,6 +115,7 @@ extern int OPENSSL_s390xcex; + # define S390X_MSA5 57 /* message-security-assist-ext. 5 */ + # define S390X_MSA3 76 /* message-security-assist-ext. 3 */ + # define S390X_MSA4 77 /* message-security-assist-ext. 4 */ ++# define S390X_MSA12 86 /* message-security-assist-ext. 12 */ + # define S390X_VX 129 /* vector */ + # define S390X_VXD 134 /* vector packed decimal */ + # define S390X_VXE 135 /* vector enhancements 1 */ +@@ -150,6 +151,14 @@ extern int OPENSSL_s390xcex; + /* km */ + # define S390X_XTS_AES_128 50 + # define S390X_XTS_AES_256 52 ++# define S390X_XTS_AES_128_MSA10 82 ++# define S390X_XTS_AES_256_MSA10 84 ++ ++/* kmac */ ++# define S390X_HMAC_SHA_224 112 ++# define S390X_HMAC_SHA_256 113 ++# define S390X_HMAC_SHA_384 114 ++# define S390X_HMAC_SHA_512 115 + + /* prno */ + # define S390X_SHA_512_DRNG 3 +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +index d7185530ec..363003d8d3 100644 +--- a/doc/man3/OPENSSL_s390xcap.pod ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -74,6 +74,7 @@ the numbering is continuous across 64-bit mask boundaries. + : + # 76 1<<51 message-security assist extension 3 + # 77 1<<50 message-security assist extension 4 ++ # 86 1<<41 message-security-assist extension 12 + : + #129 1<<62 vector facility + #134 1<<57 vector packed decimal facility +@@ -110,6 +111,8 @@ the numbering is continuous across 64-bit mask boundaries. + # 50 1<<13 KM-XTS-AES-128 + # 52 1<<11 KM-XTS-AES-256 + : ++ # 82 1<<45 KM-XTS-AES-128-MSA10 ++ # 84 1<<43 KM-XTS-AES-256-MSA10 + + kmc : + # 18 1<<45 KMC-AES-128 +@@ -122,6 +125,10 @@ the numbering is continuous across 64-bit mask boundaries. + # 19 1<<44 KMAC-AES-192 + # 20 1<<43 KMAC-AES-256 + : ++ # 112 1<<15 KMAC-SHA-224 ++ # 113 1<<14 KMAC-SHA-256 ++ # 114 1<<13 KMAC-SHA-384 ++ # 115 1<<12 KMAC-SHA-512 + + kmctr: + : diff --git a/openssl-3-add-hw-acceleration-hmac.patch b/openssl-3-add-hw-acceleration-hmac.patch new file mode 100644 index 0000000..e2368be --- /dev/null +++ b/openssl-3-add-hw-acceleration-hmac.patch @@ -0,0 +1,506 @@ +commit 0499de5adda26b1ef09660f70c12b4710b5f7c8a +Author: Ingo Franzki +Date: Thu Feb 1 15:15:27 2024 +0100 + + s390x: Add hardware acceleration for HMAC + + The CPACF instruction KMAC provides support for accelerating the HMAC + algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and + SHA-512. + + Preliminary measurements showed performance improvements of up to a factor + of 2, dependent on the message size, whether chunking is used and the size + of the chunks. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25161) + +Index: openssl-3.2.3/crypto/hmac/build.info +=================================================================== +--- openssl-3.2.3.orig/crypto/hmac/build.info ++++ openssl-3.2.3/crypto/hmac/build.info +@@ -2,5 +2,22 @@ LIBS=../../libcrypto + + $COMMON=hmac.c + +-SOURCE[../../libcrypto]=$COMMON +-SOURCE[../../providers/libfips.a]=$COMMON ++IF[{- !$disabled{asm} -}] ++ IF[{- ($target{perlasm_scheme} // '') ne '31' -}] ++ $HMACASM_s390x=hmac_s390x.c ++ $HMACDEF_s390x=OPENSSL_HMAC_S390X ++ ENDIF ++ ++ # Now that we have defined all the arch specific variables, use the ++ # appropriate ones, and define the appropriate macros ++ IF[$HMACASM_{- $target{asm_arch} -}] ++ $HMACASM=$HMACASM_{- $target{asm_arch} -} ++ $HMACDEF=$HMACDEF_{- $target{asm_arch} -} ++ ENDIF ++ENDIF ++ ++DEFINE[../../libcrypto]=$HMACDEF ++DEFINE[../../providers/libfips.a]=$HMACDEF ++ ++SOURCE[../../libcrypto]=$COMMON $HMACASM ++SOURCE[../../providers/libfips.a]=$COMMON $HMACASM +Index: openssl-3.2.3/crypto/hmac/hmac.c +=================================================================== +--- openssl-3.2.3.orig/crypto/hmac/hmac.c ++++ openssl-3.2.3/crypto/hmac/hmac.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -49,6 +49,12 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) + return 0; + ++#ifdef OPENSSL_HMAC_S390X ++ rv = s390x_HMAC_init(ctx, key, len, impl); ++ if (rv >= 1) ++ return rv; ++#endif ++ + if (key != NULL) { + reset = 1; + +@@ -111,6 +117,12 @@ int HMAC_Update(HMAC_CTX *ctx, const uns + { + if (!ctx->md) + return 0; ++ ++#ifdef OPENSSL_HMAC_S390X ++ if (ctx->plat.s390x.fc) ++ return s390x_HMAC_update(ctx, data, len); ++#endif ++ + return EVP_DigestUpdate(ctx->md_ctx, data, len); + } + +@@ -122,6 +134,11 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c + if (!ctx->md) + goto err; + ++#ifdef OPENSSL_HMAC_S390X ++ if (ctx->plat.s390x.fc) ++ return s390x_HMAC_final(ctx, md, len); ++#endif ++ + if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i)) + goto err; + if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx)) +@@ -161,6 +178,10 @@ static void hmac_ctx_cleanup(HMAC_CTX *c + EVP_MD_CTX_reset(ctx->o_ctx); + EVP_MD_CTX_reset(ctx->md_ctx); + ctx->md = NULL; ++ ++#ifdef OPENSSL_HMAC_S390X ++ s390x_HMAC_CTX_cleanup(ctx); ++#endif + } + + void HMAC_CTX_free(HMAC_CTX *ctx) +@@ -212,6 +233,12 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C + if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx)) + goto err; + dctx->md = sctx->md; ++ ++#ifdef OPENSSL_HMAC_S390X ++ if (s390x_HMAC_CTX_copy(dctx, sctx) == 0) ++ goto err; ++#endif ++ + return 1; + err: + hmac_ctx_cleanup(dctx); +Index: openssl-3.2.3/crypto/hmac/hmac_local.h +=================================================================== +--- openssl-3.2.3.orig/crypto/hmac/hmac_local.h ++++ openssl-3.2.3/crypto/hmac/hmac_local.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -10,6 +10,10 @@ + #ifndef OSSL_CRYPTO_HMAC_LOCAL_H + # define OSSL_CRYPTO_HMAC_LOCAL_H + ++# include "internal/common.h" ++# include "internal/numbers.h" ++# include "openssl/sha.h" ++ + /* The current largest case is for SHA3-224 */ + #define HMAC_MAX_MD_CBLOCK_SIZE 144 + +@@ -18,6 +22,45 @@ struct hmac_ctx_st { + EVP_MD_CTX *md_ctx; + EVP_MD_CTX *i_ctx; + EVP_MD_CTX *o_ctx; ++ ++ /* Platform specific data */ ++ union { ++ int dummy; ++# ifdef OPENSSL_HMAC_S390X ++ struct { ++ unsigned int fc; /* 0 if not supported by kmac instruction */ ++ int blk_size; ++ int ikp; ++ int iimp; ++ unsigned char *buf; ++ size_t size; /* must be multiple of digest block size */ ++ size_t num; ++ union { ++ OSSL_UNION_ALIGN; ++ struct { ++ uint32_t h[8]; ++ uint64_t imbl; ++ unsigned char key[64]; ++ } hmac_224_256; ++ struct { ++ uint64_t h[8]; ++ uint128_t imbl; ++ unsigned char key[128]; ++ } hmac_384_512; ++ } param; ++ } s390x; ++# endif /* OPENSSL_HMAC_S390X */ ++ } plat; + }; + ++# ifdef OPENSSL_HMAC_S390X ++# define HMAC_S390X_BUF_NUM_BLOCKS 64 ++ ++int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl); ++int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len); ++int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len); ++int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); ++int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx); ++# endif /* OPENSSL_HMAC_S390X */ ++ + #endif +Index: openssl-3.2.3/crypto/hmac/hmac_s390x.c +=================================================================== +--- /dev/null ++++ openssl-3.2.3/crypto/hmac/hmac_s390x.c +@@ -0,0 +1,298 @@ ++/* ++ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "crypto/s390x_arch.h" ++#include "hmac_local.h" ++#include "openssl/obj_mac.h" ++#include "openssl/evp.h" ++ ++#ifdef OPENSSL_HMAC_S390X ++ ++static int s390x_fc_from_md(const EVP_MD *md) ++{ ++ int fc; ++ ++ switch (EVP_MD_get_type(md)) { ++ case NID_sha224: ++ fc = S390X_HMAC_SHA_224; ++ break; ++ case NID_sha256: ++ fc = S390X_HMAC_SHA_256; ++ break; ++ case NID_sha384: ++ fc = S390X_HMAC_SHA_384; ++ break; ++ case NID_sha512: ++ fc = S390X_HMAC_SHA_512; ++ break; ++ default: ++ return 0; ++ } ++ ++ if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0) ++ return 0; ++ ++ return fc; ++} ++ ++static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len) ++{ ++ unsigned int fc = ctx->plat.s390x.fc; ++ ++ if (ctx->plat.s390x.ikp) ++ fc |= S390X_KMAC_IKP; ++ ++ if (ctx->plat.s390x.iimp) ++ fc |= S390X_KMAC_IIMP; ++ ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ case S390X_HMAC_SHA_256: ++ ctx->plat.s390x.param.hmac_224_256.imbl += ((uint64_t)len * 8); ++ break; ++ case S390X_HMAC_SHA_384: ++ case S390X_HMAC_SHA_512: ++ ctx->plat.s390x.param.hmac_384_512.imbl += ((uint128_t)len * 8); ++ break; ++ default: ++ break; ++ } ++ ++ s390x_kmac(in, len, fc, &ctx->plat.s390x.param); ++ ++ ctx->plat.s390x.ikp = 1; ++} ++ ++int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl) ++{ ++ unsigned char *key_param; ++ unsigned int key_param_len; ++ ++ ctx->plat.s390x.fc = s390x_fc_from_md(ctx->md); ++ if (ctx->plat.s390x.fc == 0) ++ return -1; /* Not supported by kmac instruction */ ++ ++ ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md); ++ if (ctx->plat.s390x.blk_size < 0) ++ return 0; ++ ++ if (ctx->plat.s390x.size != ++ (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) { ++ OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size); ++ ctx->plat.s390x.size = 0; ++ ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size * ++ HMAC_S390X_BUF_NUM_BLOCKS); ++ if (ctx->plat.s390x.buf == NULL) ++ return 0; ++ ctx->plat.s390x.size = ctx->plat.s390x.blk_size * ++ HMAC_S390X_BUF_NUM_BLOCKS; ++ } ++ ctx->plat.s390x.num = 0; ++ ++ ctx->plat.s390x.ikp = 0; ++ ctx->plat.s390x.iimp = 1; ++ ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ case S390X_HMAC_SHA_256: ++ ctx->plat.s390x.param.hmac_224_256.imbl = 0; ++ OPENSSL_cleanse(ctx->plat.s390x.param.hmac_224_256.h, ++ sizeof(ctx->plat.s390x.param.hmac_224_256.h)); ++ break; ++ case S390X_HMAC_SHA_384: ++ case S390X_HMAC_SHA_512: ++ ctx->plat.s390x.param.hmac_384_512.imbl = 0; ++ OPENSSL_cleanse(ctx->plat.s390x.param.hmac_384_512.h, ++ sizeof(ctx->plat.s390x.param.hmac_384_512.h)); ++ break; ++ default: ++ return 0; ++ } ++ ++ if (key != NULL) { ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ case S390X_HMAC_SHA_256: ++ OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_224_256.key, ++ sizeof(ctx->plat.s390x.param.hmac_224_256.key)); ++ key_param = ctx->plat.s390x.param.hmac_224_256.key; ++ key_param_len = sizeof(ctx->plat.s390x.param.hmac_224_256.key); ++ break; ++ case S390X_HMAC_SHA_384: ++ case S390X_HMAC_SHA_512: ++ OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_384_512.key, ++ sizeof(ctx->plat.s390x.param.hmac_384_512.key)); ++ key_param = ctx->plat.s390x.param.hmac_384_512.key; ++ key_param_len = sizeof(ctx->plat.s390x.param.hmac_384_512.key); ++ break; ++ default: ++ return 0; ++ } ++ ++ if (!ossl_assert(ctx->plat.s390x.blk_size <= (int)key_param_len)) ++ return 0; ++ ++ if (key_len > ctx->plat.s390x.blk_size) { ++ if (!EVP_DigestInit_ex(ctx->md_ctx, ctx->md, impl) ++ || !EVP_DigestUpdate(ctx->md_ctx, key, key_len) ++ || !EVP_DigestFinal_ex(ctx->md_ctx, key_param, ++ &key_param_len)) ++ return 0; ++ } else { ++ if (key_len < 0 || key_len > (int)key_param_len) ++ return 0; ++ memcpy(key_param, key, key_len); ++ /* remaining key bytes already zeroed out above */ ++ } ++ } ++ ++ return 1; ++} ++ ++int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len) ++{ ++ size_t remain, num; ++ ++ if (len == 0) ++ return 1; ++ ++ /* buffer is full, process it now */ ++ if (ctx->plat.s390x.num == ctx->plat.s390x.size) { ++ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num); ++ ++ ctx->plat.s390x.num = 0; ++ } ++ ++ remain = ctx->plat.s390x.size - ctx->plat.s390x.num; ++ if (len > remain) { ++ /* data does not fit into buffer */ ++ if (ctx->plat.s390x.num > 0) { ++ /* first fill buffer and process it */ ++ memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, remain); ++ ctx->plat.s390x.num += remain; ++ ++ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num); ++ ++ ctx->plat.s390x.num = 0; ++ ++ data += remain; ++ len -= remain; ++ } ++ ++ if (!ossl_assert(ctx->plat.s390x.num == 0)) ++ return 0; ++ ++ if (len > ctx->plat.s390x.size) { ++ /* ++ * remaining data is still larger than buffer, process remaining ++ * full blocks of input directly ++ */ ++ remain = len % ctx->plat.s390x.blk_size; ++ num = len - remain; ++ ++ s390x_call_kmac(ctx, data, num); ++ ++ data += num; ++ len -= num; ++ } ++ } ++ ++ /* add remaining input data (which is < buffer size) to buffer */ ++ if (!ossl_assert(len <= ctx->plat.s390x.size)) ++ return 0; ++ ++ if (len > 0) { ++ memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, len); ++ ctx->plat.s390x.num += len; ++ } ++ ++ return 1; ++} ++ ++int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) ++{ ++ void *result; ++ unsigned int res_len; ++ ++ ctx->plat.s390x.iimp = 0; /* last block */ ++ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num); ++ ++ ctx->plat.s390x.num = 0; ++ ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ result = &ctx->plat.s390x.param.hmac_224_256.h[0]; ++ res_len = SHA224_DIGEST_LENGTH; ++ break; ++ case S390X_HMAC_SHA_256: ++ result = &ctx->plat.s390x.param.hmac_224_256.h[0]; ++ res_len = SHA256_DIGEST_LENGTH; ++ break; ++ case S390X_HMAC_SHA_384: ++ result = &ctx->plat.s390x.param.hmac_384_512.h[0]; ++ res_len = SHA384_DIGEST_LENGTH; ++ break; ++ case S390X_HMAC_SHA_512: ++ result = &ctx->plat.s390x.param.hmac_384_512.h[0]; ++ res_len = SHA512_DIGEST_LENGTH; ++ break; ++ default: ++ return 0; ++ } ++ ++ memcpy(md, result, res_len); ++ if (len != NULL) ++ *len = res_len; ++ ++ return 1; ++} ++ ++int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) ++{ ++ dctx->plat.s390x.fc = sctx->plat.s390x.fc; ++ dctx->plat.s390x.blk_size = sctx->plat.s390x.blk_size; ++ dctx->plat.s390x.ikp = sctx->plat.s390x.ikp; ++ dctx->plat.s390x.iimp = sctx->plat.s390x.iimp; ++ ++ memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param, ++ sizeof(dctx->plat.s390x.param)); ++ ++ dctx->plat.s390x.buf = NULL; ++ if (sctx->plat.s390x.buf != NULL) { ++ dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf, ++ sctx->plat.s390x.size); ++ if (dctx->plat.s390x.buf == NULL) ++ return 0; ++ } ++ ++ dctx->plat.s390x.size = sctx->plat.s390x.size; ++ dctx->plat.s390x.num = sctx->plat.s390x.num; ++ ++ return 1; ++} ++ ++int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx) ++{ ++ OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size); ++ ctx->plat.s390x.buf = NULL; ++ ctx->plat.s390x.size = 0; ++ ctx->plat.s390x.num = 0; ++ ++ OPENSSL_cleanse(&ctx->plat.s390x.param, sizeof(ctx->plat.s390x.param)); ++ ++ ctx->plat.s390x.blk_size = 0; ++ ctx->plat.s390x.ikp = 0; ++ ctx->plat.s390x.iimp = 1; ++ ++ ctx->plat.s390x.fc = 0; ++ ++ return 1; ++} ++ ++#endif +Index: openssl-3.2.3/crypto/s390x_arch.h +=================================================================== +--- openssl-3.2.3.orig/crypto/s390x_arch.h ++++ openssl-3.2.3/crypto/s390x_arch.h +@@ -192,5 +192,8 @@ extern int OPENSSL_s390xcex; + # define S390X_KMA_HS 0x400 + # define S390X_KDSA_D 0x80 + # define S390X_KLMD_PS 0x100 ++# define S390X_KMAC_IKP 0x8000 ++# define S390X_KMAC_IIMP 0x4000 ++# define S390X_KMAC_CCUP 0x2000 + + #endif diff --git a/openssl-3-add-xof-state-handling-s3_absorb.patch b/openssl-3-add-xof-state-handling-s3_absorb.patch new file mode 100644 index 0000000..ae73e9f --- /dev/null +++ b/openssl-3-add-xof-state-handling-s3_absorb.patch @@ -0,0 +1,32 @@ +commit 1337b50936ed190a98af1ee6601d857b42a3d296 +Author: Holger Dengler +Date: Wed Sep 27 21:54:34 2023 +0200 + + Add xof state handing for generic sha3 absorb. + + The digest life-cycle diagram specifies state transitions to `updated` + (aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this + checking to the generic sha3 absorb implementation. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -143,6 +143,10 @@ static size_t generic_sha3_absorb(void * + { + KECCAK1600_CTX *ctx = vctx; + ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_ABSORB; + return SHA3_absorb(ctx->A, inp, len, ctx->block_size); + } + diff --git a/openssl-3-add_EVP_DigestSqueeze_api.patch b/openssl-3-add_EVP_DigestSqueeze_api.patch new file mode 100644 index 0000000..58b4713 --- /dev/null +++ b/openssl-3-add_EVP_DigestSqueeze_api.patch @@ -0,0 +1,1781 @@ +commit 536649082212e7c643ab8d7bab89f620fbcd37f0 +Author: slontis +Date: Fri Jul 21 15:05:38 2023 +1000 + + Add EVP_DigestSqueeze() API. + + Fixes #7894 + + This allows SHAKE to squeeze multiple times with different output sizes. + + The existing EVP_DigestFinalXOF() API has been left as a one shot + operation. A similar interface is used by another toolkit. + + The low level SHA3_Squeeze() function needed to change slightly so + that it can handle multiple squeezes. This involves changing the + assembler code so that it passes a boolean to indicate whether + the Keccak function should be called on entry. + At the provider level, the squeeze is buffered, so that it only requests + a multiple of the blocksize when SHA3_Squeeze() is called. On the first + call the value is zero, on subsequent calls the value passed is 1. + + This PR is derived from the excellent work done by @nmathewson in + https://github.com/openssl/openssl/pull/7921 + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/21511) + +Index: openssl-3.2.3/crypto/evp/digest.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/digest.c ++++ openssl-3.2.3/crypto/evp/digest.c +@@ -502,6 +502,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, + return ret; + } + ++/* This is a one shot operation */ + int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size) + { + int ret = 0; +@@ -526,10 +527,15 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, + return 0; + } + ++ /* ++ * For backward compatibility we pass the XOFLEN via a param here so that ++ * older providers can use the supplied value. Ideally we should have just ++ * used the size passed into ctx->digest->dfinal(). ++ */ + params[i++] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &size); + params[i++] = OSSL_PARAM_construct_end(); + +- if (EVP_MD_CTX_set_params(ctx, params) > 0) ++ if (EVP_MD_CTX_set_params(ctx, params) >= 0) + ret = ctx->digest->dfinal(ctx->algctx, md, &size, size); + + ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; +@@ -553,6 +559,27 @@ legacy: + return ret; + } + ++/* EVP_DigestSqueeze() can be called multiple times */ ++int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size) ++{ ++ if (ctx->digest == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_NULL_ALGORITHM); ++ return 0; ++ } ++ ++ if (ctx->digest->prov == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); ++ return 0; ++ } ++ ++ if (ctx->digest->dsqueeze == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_METHOD_NOT_SUPPORTED); ++ return 0; ++ } ++ ++ return ctx->digest->dsqueeze(ctx->algctx, md, &size, size); ++} ++ + EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) + { + EVP_MD_CTX *out = EVP_MD_CTX_new(); +@@ -1032,6 +1059,12 @@ static void *evp_md_from_algorithm(int n + fncnt++; + } + break; ++ case OSSL_FUNC_DIGEST_SQUEEZE: ++ if (md->dsqueeze == NULL) { ++ md->dsqueeze = OSSL_FUNC_digest_squeeze(fns); ++ fncnt++; ++ } ++ break; + case OSSL_FUNC_DIGEST_DIGEST: + if (md->digest == NULL) + md->digest = OSSL_FUNC_digest_digest(fns); +@@ -1075,7 +1108,7 @@ static void *evp_md_from_algorithm(int n + break; + } + } +- if ((fncnt != 0 && fncnt != 5) ++ if ((fncnt != 0 && fncnt != 5 && fncnt != 6) + || (fncnt == 0 && md->digest == NULL)) { + /* + * In order to be a consistent set of functions we either need the +Index: openssl-3.2.3/crypto/evp/legacy_sha.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/legacy_sha.c ++++ openssl-3.2.3/crypto/evp/legacy_sha.c +@@ -37,7 +37,8 @@ static int nm##_update(EVP_MD_CTX *ctx, + } \ + static int nm##_final(EVP_MD_CTX *ctx, unsigned char *md) \ + { \ +- return fn##_final(md, EVP_MD_CTX_get0_md_data(ctx)); \ ++ KECCAK1600_CTX *kctx = EVP_MD_CTX_get0_md_data(ctx); \ ++ return fn##_final(kctx, md, kctx->md_size); \ + } + #define IMPLEMENT_LEGACY_EVP_MD_METH_SHAKE(nm, fn, tag) \ + static int nm##_init(EVP_MD_CTX *ctx) \ +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv4.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl +@@ -966,6 +966,8 @@ SHA3_squeeze: + stmdb sp!,{r6-r9} + + mov r14,$A_flat ++ cmp r4, #0 @ r4 = 'next' argument ++ bne .Lnext_block + b .Loop_squeeze + + .align 4 +@@ -1037,7 +1039,7 @@ SHA3_squeeze: + + subs $bsz,$bsz,#8 @ bsz -= 8 + bhi .Loop_squeeze +- ++.Lnext_block: + mov r0,r14 @ original $A_flat + + bl KeccakF1600 +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv8.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl +@@ -483,6 +483,8 @@ SHA3_squeeze: + mov $out,x1 + mov $len,x2 + mov $bsz,x3 ++ cmp x4, #0 // x4 = 'next' argument ++ bne .Lnext_block + + .Loop_squeeze: + ldr x4,[x0],#8 +@@ -497,7 +499,7 @@ SHA3_squeeze: + + subs x3,x3,#8 + bhi .Loop_squeeze +- ++.Lnext_block: + mov x0,$A_flat + bl KeccakF1600 + mov x0,$A_flat +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-ppc64.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl +@@ -668,6 +668,8 @@ SHA3_squeeze: + subi $out,r4,1 ; prepare for stbu + mr $len,r5 + mr $bsz,r6 ++ ${UCMP}i r7,1 ; r7 = 'next' argument ++ blt .Lnext_block + b .Loop_squeeze + + .align 4 +@@ -698,6 +700,7 @@ SHA3_squeeze: + subic. r6,r6,8 + bgt .Loop_squeeze + ++.Lnext_block: + mr r3,$A_flat + bl KeccakF1600 + subi r3,$A_flat,8 ; prepare for ldu +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-x86_64.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl +@@ -503,12 +503,12 @@ SHA3_absorb: + .size SHA3_absorb,.-SHA3_absorb + ___ + } +-{ my ($A_flat,$out,$len,$bsz) = ("%rdi","%rsi","%rdx","%rcx"); ++{ my ($A_flat,$out,$len,$bsz,$next) = ("%rdi","%rsi","%rdx","%rcx","%r8"); + ($out,$len,$bsz) = ("%r12","%r13","%r14"); + + $code.=<<___; + .globl SHA3_squeeze +-.type SHA3_squeeze,\@function,4 ++.type SHA3_squeeze,\@function,5 + .align 32 + SHA3_squeeze: + .cfi_startproc +@@ -520,10 +520,12 @@ SHA3_squeeze: + .cfi_push %r14 + + shr \$3,%rcx +- mov $A_flat,%r8 ++ mov $A_flat,%r9 + mov %rsi,$out + mov %rdx,$len + mov %rcx,$bsz ++ bt \$0,$next ++ jc .Lnext_block + jmp .Loop_squeeze + + .align 32 +@@ -531,8 +533,8 @@ SHA3_squeeze: + cmp \$8,$len + jb .Ltail_squeeze + +- mov (%r8),%rax +- lea 8(%r8),%r8 ++ mov (%r9),%rax ++ lea 8(%r9),%r9 + mov %rax,($out) + lea 8($out),$out + sub \$8,$len # len -= 8 +@@ -540,14 +542,14 @@ SHA3_squeeze: + + sub \$1,%rcx # bsz-- + jnz .Loop_squeeze +- ++.Lnext_block: + call KeccakF1600 +- mov $A_flat,%r8 ++ mov $A_flat,%r9 + mov $bsz,%rcx + jmp .Loop_squeeze + + .Ltail_squeeze: +- mov %r8, %rsi ++ mov %r9, %rsi + mov $out,%rdi + mov $len,%rcx + .byte 0xf3,0xa4 # rep movsb +Index: openssl-3.2.3/crypto/sha/keccak1600.c +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/keccak1600.c ++++ openssl-3.2.3/crypto/sha/keccak1600.c +@@ -13,7 +13,7 @@ + + size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, + size_t r); +-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r); ++void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next); + + #if !defined(KECCAK1600_ASM) || !defined(SELFTEST) + +@@ -1090,10 +1090,16 @@ size_t SHA3_absorb(uint64_t A[5][5], con + } + + /* +- * sha3_squeeze is called once at the end to generate |out| hash value +- * of |len| bytes. ++ * SHA3_squeeze may be called after SHA3_absorb to generate |out| hash value of ++ * |len| bytes. ++ * If multiple SHA3_squeeze calls are required the output length |len| must be a ++ * multiple of the blocksize, with |next| being 0 on the first call and 1 on ++ * subsequent calls. It is the callers responsibility to buffer the results. ++ * When only a single call to SHA3_squeeze is required, |len| can be any size ++ * and |next| must be 0. + */ +-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r) ++void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, ++ int next) + { + uint64_t *A_flat = (uint64_t *)A; + size_t i, w = r / 8; +@@ -1101,6 +1107,9 @@ void SHA3_squeeze(uint64_t A[5][5], unsi + assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0); + + while (len != 0) { ++ if (next) ++ KeccakF1600(A); ++ next = 1; + for (i = 0; i < w && len != 0; i++) { + uint64_t Ai = BitDeinterleave(A_flat[i]); + +@@ -1123,8 +1132,6 @@ void SHA3_squeeze(uint64_t A[5][5], unsi + out += 8; + len -= 8; + } +- if (len) +- KeccakF1600(A); + } + } + #endif +Index: openssl-3.2.3/crypto/sha/sha3.c +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/sha3.c ++++ openssl-3.2.3/crypto/sha/sha3.c +@@ -10,12 +10,13 @@ + #include + #include "internal/sha3.h" + +-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r); ++void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next); + + void ossl_sha3_reset(KECCAK1600_CTX *ctx) + { + memset(ctx->A, 0, sizeof(ctx->A)); + ctx->bufsz = 0; ++ ctx->xof_state = XOF_STATE_INIT; + } + + int ossl_sha3_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen) +@@ -51,6 +52,10 @@ int ossl_sha3_update(KECCAK1600_CTX *ctx + if (len == 0) + return 1; + ++ if (ctx->xof_state == XOF_STATE_SQUEEZE ++ || ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ + if ((num = ctx->bufsz) != 0) { /* process intermediate buffer? */ + rem = bsz - num; + +@@ -84,13 +89,21 @@ int ossl_sha3_update(KECCAK1600_CTX *ctx + return 1; + } + +-int ossl_sha3_final(unsigned char *md, KECCAK1600_CTX *ctx) ++/* ++ * ossl_sha3_final()is a single shot method ++ * (Use ossl_sha3_squeeze for multiple calls). ++ * outlen is the variable size output. ++ */ ++int ossl_sha3_final(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen) + { + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; + +- if (ctx->md_size == 0) ++ if (outlen == 0) + return 1; ++ if (ctx->xof_state == XOF_STATE_SQUEEZE ++ || ctx->xof_state == XOF_STATE_FINAL) ++ return 0; + + /* + * Pad the data with 10*1. Note that |num| can be |bsz - 1| +@@ -103,7 +116,86 @@ int ossl_sha3_final(unsigned char *md, K + + (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz); + +- SHA3_squeeze(ctx->A, md, ctx->md_size, bsz); ++ ctx->xof_state = XOF_STATE_FINAL; ++ SHA3_squeeze(ctx->A, out, outlen, bsz, 0); ++ return 1; ++} ++ ++/* ++ * This method can be called multiple times. ++ * Rather than heavily modifying assembler for SHA3_squeeze(), ++ * we instead just use the limitations of the existing function. ++ * i.e. Only request multiples of the ctx->block_size when calling ++ * SHA3_squeeze(). For output length requests smaller than the ++ * ctx->block_size just request a single ctx->block_size bytes and ++ * buffer the results. The next request will use the buffer first ++ * to grab output bytes. ++ */ ++int ossl_sha3_squeeze(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen) ++{ ++ size_t bsz = ctx->block_size; ++ size_t num = ctx->bufsz; ++ size_t len; ++ int next = 1; ++ ++ if (outlen == 0) ++ return 1; ++ ++ if (ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ ++ /* ++ * On the first squeeze call, finish the absorb process, ++ * by adding the trailing padding and then doing ++ * a final absorb. ++ */ ++ if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ /* ++ * Pad the data with 10*1. Note that |num| can be |bsz - 1| ++ * in which case both byte operations below are performed on ++ * same byte... ++ */ ++ memset(ctx->buf + num, 0, bsz - num); ++ ctx->buf[num] = ctx->pad; ++ ctx->buf[bsz - 1] |= 0x80; ++ (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz); ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ num = ctx->bufsz = 0; ++ next = 0; ++ } ++ ++ /* ++ * Step 1. Consume any bytes left over from a previous squeeze ++ * (See Step 4 below). ++ */ ++ if (num != 0) { ++ if (outlen > ctx->bufsz) ++ len = ctx->bufsz; ++ else ++ len = outlen; ++ memcpy(out, ctx->buf + bsz - ctx->bufsz, len); ++ out += len; ++ outlen -= len; ++ ctx->bufsz -= len; ++ } ++ if (outlen == 0) ++ return 1; ++ ++ /* Step 2. Copy full sized squeezed blocks to the output buffer directly */ ++ if (outlen >= bsz) { ++ len = bsz * (outlen / bsz); ++ SHA3_squeeze(ctx->A, out, len, bsz, next); ++ next = 1; ++ out += len; ++ outlen -= len; ++ } ++ if (outlen > 0) { ++ /* Step 3. Squeeze one more block into a buffer */ ++ SHA3_squeeze(ctx->A, ctx->buf, bsz, bsz, next); ++ memcpy(out, ctx->buf, outlen); ++ /* Step 4. Remember the leftover part of the squeezed block */ ++ ctx->bufsz = bsz - outlen; ++ } + + return 1; + } +Index: openssl-3.2.3/doc/life-cycles/digest.dot +=================================================================== +--- openssl-3.2.3.orig/doc/life-cycles/digest.dot ++++ openssl-3.2.3/doc/life-cycles/digest.dot +@@ -6,28 +6,30 @@ digraph digest { + initialised [label=initialised, fontcolor="#c94c4c"]; + updated [label=updated, fontcolor="#c94c4c"]; + finaled [label="finaled", fontcolor="#c94c4c"]; ++ squeezed [label="squeezed", fontcolor="#c94c4c"]; + end [label="freed", color="#deeaee", style="filled"]; + + begin -> newed [label="EVP_MD_CTX_new"]; +- newed -> initialised [label="EVP_DigestInit"]; +- initialised -> updated [label="EVP_DigestUpdate", weight=3]; ++ newed -> initialised [label="EVP_DigestInit", weight=100]; ++ initialised -> updated [label="EVP_DigestUpdate", weight=100]; + updated -> updated [label="EVP_DigestUpdate"]; +- updated -> finaled [label="EVP_DigestFinal"]; ++ updated -> finaled [label="EVP_DigestFinal", weight=2]; + updated -> finaled [label="EVP_DigestFinalXOF", + fontcolor="#808080", color="#808080"]; +- /* Once this works it should go back in: +- finaled -> finaled [taillabel="EVP_DigestFinalXOF", +- labeldistance=9, labelangle=345, +- labelfontcolor="#808080", color="#808080"]; +- */ ++ updated -> squeezed [label="EVP_DigestSqueeze", weight=3]; + finaled -> end [label="EVP_MD_CTX_free"]; +- finaled -> newed [label="EVP_MD_CTX_reset", style=dashed, weight=2, ++ finaled -> newed [label="EVP_MD_CTX_reset", style=dashed, + color="#034f84", fontcolor="#034f84"]; + updated -> newed [label="EVP_MD_CTX_reset", style=dashed, + color="#034f84", fontcolor="#034f84"]; +- updated -> initialised [label="EVP_DigestInit", weight=0, style=dashed, ++ updated -> initialised [label="EVP_DigestInit", style=dashed, + color="#034f84", fontcolor="#034f84"]; + finaled -> initialised [label="EVP_DigestInit", style=dashed, + color="#034f84", fontcolor="#034f84"]; ++ squeezed -> squeezed [label="EVP_DigestSqueeze"]; ++ squeezed -> end [label="EVP_MD_CTX_free", weight=1]; ++ squeezed -> newed [label="EVP_MD_CTX_reset", style=dashed, ++ color="#034f84", fontcolor="#034f84"]; ++ squeezed -> initialised [label="EVP_DigestInit", style=dashed, ++ color="#034f84", fontcolor="#034f84"]; + } +- +Index: openssl-3.2.3/doc/man3/EVP_DigestInit.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man3/EVP_DigestInit.pod ++++ openssl-3.2.3/doc/man3/EVP_DigestInit.pod +@@ -12,6 +12,7 @@ EVP_MD_CTX_settable_params, EVP_MD_CTX_g + EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, + EVP_Q_digest, EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit, + EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal, ++EVP_DigestSqueeze, + EVP_MD_is_a, EVP_MD_get0_name, EVP_MD_get0_description, + EVP_MD_names_do_all, EVP_MD_get0_provider, EVP_MD_get_type, + EVP_MD_get_pkey_type, EVP_MD_get_size, EVP_MD_get_block_size, EVP_MD_get_flags, +@@ -61,7 +62,8 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EV + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); + int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); + int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); +- int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); ++ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *out, size_t outlen); ++ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *out, size_t outlen); + + EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in); + int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); +@@ -293,9 +295,16 @@ initialize a new digest operation. + =item EVP_DigestFinalXOF() + + Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256. +-It retrieves the digest value from I and places it in I-sized I. ++It retrieves the digest value from I and places it in I-sized I. + After calling this function no additional calls to EVP_DigestUpdate() can be + made, but EVP_DigestInit_ex2() can be called to initialize a new operation. ++EVP_DigestFinalXOF() may only be called once ++ ++=item EVP_DigestSqueeze() ++ ++Similar to EVP_DigestFinalXOF() but allows multiple calls to be made to ++squeeze variable length output data. ++EVP_DigestFinalXOF() should not be called after this. + + =item EVP_MD_CTX_dup() + +@@ -480,8 +489,9 @@ EVP_MD_CTX_set_params() can be used with + =item "xoflen" (B) + + Sets the digest length for extendable output functions. +-It is used by the SHAKE algorithm and should not exceed what can be given +-using a B. ++The value should not exceed what can be given using a B. ++It may be used by BLAKE2B-512, SHAKE-128 and SHAKE-256 to set the ++output length used by EVP_DigestFinal_ex() and EVP_DigestFinal(). + + =item "pad-type" (B) + +@@ -801,7 +811,8 @@ EVP_MD_CTX_get0_md() instead. + EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated + in OpenSSL 3.0. + +-EVP_MD_CTX_dup() was added in OpenSSL 3.2. ++The functions EVP_MD_CTX_dup() and EVP_DigestSqueeze() were added in ++OpenSSL 3.2. + + =head1 COPYRIGHT + +Index: openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man7/EVP_MD-BLAKE2.pod ++++ openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod +@@ -25,6 +25,17 @@ Known names are "BLAKE2B-512" and "BLAKE + + =back + ++=head2 Settable Parameters ++ ++"BLAKE2B-512" supports the following EVP_MD_CTX_set_params() key ++described in L. ++ ++=over 4 ++ ++=item "xoflen" (B) ++ ++=back ++ + =head2 Gettable Parameters + + This implementation supports the common gettable parameters described +Index: openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man7/EVP_MD-SHAKE.pod ++++ openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod +@@ -70,8 +70,21 @@ For backwards compatibility reasons the + 32 (bytes) which results in a security strength of only 128 bits. To ensure the + maximum security strength of 256 bits, the xoflen should be set to at least 64. + ++This parameter may be used when calling either EVP_DigestFinal_ex() or ++EVP_DigestFinal(), since these functions were not designed to handle variable ++length output. It is recommended to either use EVP_DigestSqueeze() or ++EVP_DigestFinalXOF() instead. ++ + =back + ++=head1 NOTES ++ ++For SHAKE-128, to ensure the maximum security strength of 128 bits, the output ++length passed to EVP_DigestFinalXOF() should be at least 32. ++ ++For SHAKE-256, to ensure the maximum security strength of 256 bits, the output ++length passed to EVP_DigestFinalXOF() should be at least 64. ++ + =head1 SEE ALSO + + L, L, L +Index: openssl-3.2.3/doc/man7/life_cycle-digest.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man7/life_cycle-digest.pod ++++ openssl-3.2.3/doc/man7/life_cycle-digest.pod +@@ -32,6 +32,14 @@ additional input or generating output. + =item finaled + + This state represents the MD when it has generated output. ++For an XOF digest, this state represents the MD when it has generated a ++single-shot output. ++ ++=item squeezed ++ ++For an XOF digest, this state represents the MD when it has generated output. ++It can be called multiple times to generate more output. The output length is ++variable for each call. + + =item freed + +@@ -46,39 +54,57 @@ The usual life-cycle of a MD is illustra + + =begin man + +- +-------------------+ +- | start | +- +-------------------+ +- | +- | EVP_MD_CTX_new +- v +- +-------------------+ EVP_MD_CTX_reset +- | newed | <------------------------------+ +- +-------------------+ | +- | | +- | EVP_DigestInit | +- v | +- +-------------------+ | +- +--> | initialised | <+ EVP_DigestInit | +- | +-------------------+ | | +- | | | EVP_DigestUpdate | +- | | EVP_DigestUpdate | +------------------+ | +- | v | v | | +- | +------------------------------------------------+ | +- EVP_DigestInit | | updated | --+ +- | +------------------------------------------------+ | +- | | | | +- | | EVP_DigestFinal | EVP_DigestFinalXOF | +- | v v | +- | +------------------------------------------------+ | +- +--- | finaled | --+ +- +------------------------------------------------+ +- | +- | EVP_MD_CTX_free +- v +- +-------------------+ +- | freed | +- +-------------------+ ++ +--------------------+ ++ | start | ++ +--------------------+ ++ | EVP_MD_CTX_reset ++ | EVP_MD_CTX_new +-------------------------------------------------+ ++ v v | ++ EVP_MD_CTX_reset + - - - - - - - - - - - - - - - - - - - - - - + EVP_MD_CTX_reset | ++ +-------------------> ' newed ' <--------------------+ | ++ | + - - - - - - - - - - - - - - - - - - - - - - + | | ++ | | | | ++ | | EVP_DigestInit | | ++ | v | | ++ | EVP_DigestInit + - - - - - - - - - - - - - - - - - - - - - - + | | ++ +----+-------------------> ' initialised ' <+ EVP_DigestInit | | ++ | | + - - - - - - - - - - - - - - - - - - - - - - + | | | ++ | | | ^ | | | ++ | | | EVP_DigestUpdate | EVP_DigestInit | | | ++ | | v | | | | ++ | | +---------------------------------------------+ | | | ++ | +-------------------- | | | | | ++ | | | | | | ++ | EVP_DigestUpdate | | | | | ++ | +-------------------- | | | | | ++ | | | updated | | | | ++ | +-------------------> | | | | | ++ | | | | | | ++ | | | | | | ++ +----+------------------------- | | -+-------------------+----+ | ++ | | +---------------------------------------------+ | | | | ++ | | | | | | | ++ | | | EVP_DigestSqueeze +-------------------+ | | | ++ | | v | | | | ++ | | EVP_DigestSqueeze +---------------------------------------------+ | | | ++ | | +-------------------- | | | | | ++ | | | | squeezed | | | | ++ | | +-------------------> | | ---------------------+ | | ++ | | +---------------------------------------------+ | | ++ | | | | | ++ | | +---------------------------------------+ | | ++ | | | | | ++ | | +---------------------------------------------+ EVP_DigestFinalXOF | | | ++ | +------------------------- | finaled | <--------------------+----+ | ++ | +---------------------------------------------+ | | ++ | EVP_DigestFinal ^ | | | | ++ +---------------------------------+ | | EVP_MD_CTX_free | | ++ | v | | ++ | +------------------+ EVP_MD_CTX_free | | ++ | | freed | <--------------------+ | ++ | +------------------+ | ++ | | ++ +------------------------------------------------------+ + + =end man + +@@ -91,19 +117,21 @@ This is the canonical list. + + =begin man + +- Function Call --------------------- Current State ---------------------- +- start newed initialised updated finaled freed ++ Function Call --------------------- Current State ----------------------------------- ++ start newed initialised updated finaled squeezed freed + EVP_MD_CTX_new newed +- EVP_DigestInit initialised initialised initialised initialised ++ EVP_DigestInit initialised initialised initialised initialised initialised + EVP_DigestUpdate updated updated + EVP_DigestFinal finaled + EVP_DigestFinalXOF finaled ++ EVP_DigestSqueeze squeezed squeezed + EVP_MD_CTX_free freed freed freed freed freed + EVP_MD_CTX_reset newed newed newed newed + EVP_MD_CTX_get_params newed initialised updated + EVP_MD_CTX_set_params newed initialised updated + EVP_MD_CTX_gettable_params newed initialised updated + EVP_MD_CTX_settable_params newed initialised updated ++ EVP_MD_CTX_copy_ex newed initialised updated squeezed + + =end man + +@@ -118,6 +146,7 @@ This is the canonical list. + initialised + updated + finaled ++ squeezed + freed + EVP_MD_CTX_new + newed +@@ -125,6 +154,7 @@ This is the canonical list. + + + ++ + + EVP_DigestInit + +@@ -132,6 +162,7 @@ This is the canonical list. + initialised + initialised + initialised ++ initialised + + EVP_DigestUpdate + +@@ -139,6 +170,7 @@ This is the canonical list. + updated + updated + ++ + + EVP_DigestFinal + +@@ -146,6 +178,15 @@ This is the canonical list. + + finaled + ++ ++ ++EVP_DigestSqueeze ++ ++ ++ ++ squeezed ++ ++ squeezed + + EVP_DigestFinalXOF + +@@ -153,6 +194,7 @@ This is the canonical list. + + finaled + ++ + + EVP_MD_CTX_free + freed +@@ -160,6 +202,7 @@ This is the canonical list. + freed + freed + freed ++ + + EVP_MD_CTX_reset + +@@ -167,6 +210,7 @@ This is the canonical list. + newed + newed + newed ++ + + EVP_MD_CTX_get_params + +@@ -174,6 +218,7 @@ This is the canonical list. + initialised + updated + ++ + + EVP_MD_CTX_set_params + +@@ -181,6 +226,7 @@ This is the canonical list. + initialised + updated + ++ + + EVP_MD_CTX_gettable_params + +@@ -188,6 +234,7 @@ This is the canonical list. + initialised + updated + ++ + + EVP_MD_CTX_settable_params + +@@ -195,6 +242,15 @@ This is the canonical list. + initialised + updated + ++ ++ ++EVP_MD_CTX_copy_ex ++ ++ newed ++ initialised ++ updated ++ ++ squeezed + + + +@@ -211,7 +267,7 @@ L, L + +-This digest method is an extensible-output function (XOF) and supports +-setting the B parameter. ++This digest method is an extensible-output function (XOF). + + =item B + +Index: openssl-3.2.3/include/crypto/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/crypto/evp.h ++++ openssl-3.2.3/include/crypto/evp.h +@@ -296,6 +296,7 @@ struct evp_md_st { + OSSL_FUNC_digest_init_fn *dinit; + OSSL_FUNC_digest_update_fn *dupdate; + OSSL_FUNC_digest_final_fn *dfinal; ++ OSSL_FUNC_digest_squeeze_fn *dsqueeze; + OSSL_FUNC_digest_digest_fn *digest; + OSSL_FUNC_digest_freectx_fn *freectx; + OSSL_FUNC_digest_dupctx_fn *dupctx; +Index: openssl-3.2.3/include/internal/sha3.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/sha3.h ++++ openssl-3.2.3/include/internal/sha3.h +@@ -22,23 +22,31 @@ + + typedef struct keccak_st KECCAK1600_CTX; + +-typedef size_t (sha3_absorb_fn)(void *vctx, const void *inp, size_t len); +-typedef int (sha3_final_fn)(unsigned char *md, void *vctx); ++typedef size_t (sha3_absorb_fn)(void *vctx, const void *in, size_t inlen); ++typedef int (sha3_final_fn)(void *vctx, unsigned char *out, size_t outlen); ++typedef int (sha3_squeeze_fn)(void *vctx, unsigned char *out, size_t outlen); + + typedef struct prov_sha3_meth_st + { + sha3_absorb_fn *absorb; + sha3_final_fn *final; ++ sha3_squeeze_fn *squeeze; + } PROV_SHA3_METHOD; + ++#define XOF_STATE_INIT 0 ++#define XOF_STATE_ABSORB 1 ++#define XOF_STATE_FINAL 2 ++#define XOF_STATE_SQUEEZE 3 ++ + struct keccak_st { + uint64_t A[5][5]; ++ unsigned char buf[KECCAK1600_WIDTH / 8 - 32]; + size_t block_size; /* cached ctx->digest->block_size */ + size_t md_size; /* output length, variable in XOF */ + size_t bufsz; /* used bytes in below buffer */ +- unsigned char buf[KECCAK1600_WIDTH / 8 - 32]; + unsigned char pad; + PROV_SHA3_METHOD meth; ++ int xof_state; + }; + + void ossl_sha3_reset(KECCAK1600_CTX *ctx); +@@ -46,7 +54,8 @@ int ossl_sha3_init(KECCAK1600_CTX *ctx, + int ossl_keccak_kmac_init(KECCAK1600_CTX *ctx, unsigned char pad, + size_t bitlen); + int ossl_sha3_update(KECCAK1600_CTX *ctx, const void *_inp, size_t len); +-int ossl_sha3_final(unsigned char *md, KECCAK1600_CTX *ctx); ++int ossl_sha3_final(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen); ++int ossl_sha3_squeeze(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen); + + size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, + size_t r); +Index: openssl-3.2.3/include/openssl/core_dispatch.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/core_dispatch.h ++++ openssl-3.2.3/include/openssl/core_dispatch.h +@@ -300,6 +300,7 @@ OSSL_CORE_MAKE_FUNC(int, provider_self_t + # define OSSL_FUNC_DIGEST_GETTABLE_PARAMS 11 + # define OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS 12 + # define OSSL_FUNC_DIGEST_GETTABLE_CTX_PARAMS 13 ++# define OSSL_FUNC_DIGEST_SQUEEZE 14 + + OSSL_CORE_MAKE_FUNC(void *, digest_newctx, (void *provctx)) + OSSL_CORE_MAKE_FUNC(int, digest_init, (void *dctx, const OSSL_PARAM params[])) +@@ -308,6 +309,9 @@ OSSL_CORE_MAKE_FUNC(int, digest_update, + OSSL_CORE_MAKE_FUNC(int, digest_final, + (void *dctx, + unsigned char *out, size_t *outl, size_t outsz)) ++OSSL_CORE_MAKE_FUNC(int, digest_squeeze, ++ (void *dctx, ++ unsigned char *out, size_t *outl, size_t outsz)) + OSSL_CORE_MAKE_FUNC(int, digest_digest, + (void *provctx, const unsigned char *in, size_t inl, + unsigned char *out, size_t *outl, size_t outsz)) +Index: openssl-3.2.3/include/openssl/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -729,8 +729,10 @@ __owur int EVP_MD_CTX_copy(EVP_MD_CTX *o + __owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); + __owur int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, + unsigned int *s); +-__owur int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, +- size_t len); ++__owur int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *out, ++ size_t outlen); ++__owur int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *out, ++ size_t outlen); + + __owur EVP_MD *EVP_MD_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -33,10 +33,12 @@ static OSSL_FUNC_digest_update_fn keccak + static OSSL_FUNC_digest_final_fn keccak_final; + static OSSL_FUNC_digest_freectx_fn keccak_freectx; + static OSSL_FUNC_digest_dupctx_fn keccak_dupctx; ++static OSSL_FUNC_digest_squeeze_fn shake_squeeze; + static OSSL_FUNC_digest_set_ctx_params_fn shake_set_ctx_params; + static OSSL_FUNC_digest_settable_ctx_params_fn shake_settable_ctx_params; + static sha3_absorb_fn generic_sha3_absorb; + static sha3_final_fn generic_sha3_final; ++static sha3_squeeze_fn generic_sha3_squeeze; + + #if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) + /* +@@ -103,20 +105,37 @@ static int keccak_update(void *vctx, con + } + + static int keccak_final(void *vctx, unsigned char *out, size_t *outl, +- size_t outsz) ++ size_t outlen) + { + int ret = 1; + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; +- if (outsz > 0) +- ret = ctx->meth.final(out, ctx); ++ if (outlen > 0) ++ ret = ctx->meth.final(ctx, out, ctx->md_size); + + *outl = ctx->md_size; + return ret; + } + ++static int shake_squeeze(void *vctx, unsigned char *out, size_t *outl, ++ size_t outlen) ++{ ++ int ret = 1; ++ KECCAK1600_CTX *ctx = vctx; ++ ++ if (!ossl_prov_is_running()) ++ return 0; ++ if (ctx->meth.squeeze == NULL) ++ return 0; ++ if (outlen > 0) ++ ret = ctx->meth.squeeze(ctx, out, outlen); ++ ++ *outl = outlen; ++ return ret; ++} ++ + /*- + * Generic software version of the absorb() and final(). + */ +@@ -127,15 +146,28 @@ static size_t generic_sha3_absorb(void * + return SHA3_absorb(ctx->A, inp, len, ctx->block_size); + } + +-static int generic_sha3_final(unsigned char *md, void *vctx) ++static int generic_sha3_final(void *vctx, unsigned char *out, size_t outlen) + { +- return ossl_sha3_final(md, (KECCAK1600_CTX *)vctx); ++ return ossl_sha3_final((KECCAK1600_CTX *)vctx, out, outlen); ++} ++ ++static int generic_sha3_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ return ossl_sha3_squeeze((KECCAK1600_CTX *)vctx, out, outlen); + } + + static PROV_SHA3_METHOD sha3_generic_md = + { + generic_sha3_absorb, +- generic_sha3_final ++ generic_sha3_final, ++ NULL ++}; ++ ++static PROV_SHA3_METHOD shake_generic_md = ++{ ++ generic_sha3_absorb, ++ generic_sha3_final, ++ generic_sha3_squeeze + }; + + #if defined(S390_SHA3) +@@ -156,59 +188,60 @@ static size_t s390x_sha3_absorb(void *vc + return rem; + } + +-static int s390x_sha3_final(unsigned char *md, void *vctx) ++static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; + s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); +- memcpy(md, ctx->A, ctx->md_size); ++ memcpy(out, ctx->A, outlen); + return 1; + } + +-static int s390x_shake_final(unsigned char *md, void *vctx) ++static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; +- s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); + return 1; + } + +-static int s390x_keccakc_final(unsigned char *md, void *vctx, int padding) ++static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen, ++ int padding) + { + KECCAK1600_CTX *ctx = vctx; + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; +- size_t needed = ctx->md_size; ++ size_t needed = outlen; + + if (!ossl_prov_is_running()) + return 0; +- if (ctx->md_size == 0) ++ if (outlen == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); + ctx->buf[num] = padding; + ctx->buf[bsz - 1] |= 0x80; + s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A); + num = needed > bsz ? bsz : needed; +- memcpy(md, ctx->A, num); ++ memcpy(out, ctx->A, num); + needed -= num; + if (needed > 0) +- s390x_klmd(NULL, 0, md + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A); ++ s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A); + + return 1; + } + +-static int s390x_keccak_final(unsigned char *md, void *vctx) ++static int s390x_keccak_final(void *vctx, unsigned char *out, size_t outlen) + { +- return s390x_keccakc_final(md, vctx, 0x01); ++ return s390x_keccakc_final(vctx, out, outlen, 0x01); + } + +-static int s390x_kmac_final(unsigned char *md, void *vctx) ++static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen) + { +- return s390x_keccakc_final(md, vctx, 0x04); ++ return s390x_keccakc_final(vctx, out, outlen, 0x04); + } + + static PROV_SHA3_METHOD sha3_s390x_md = +@@ -220,7 +253,7 @@ static PROV_SHA3_METHOD sha3_s390x_md = + static PROV_SHA3_METHOD keccak_s390x_md = + { + s390x_sha3_absorb, +- s390x_keccak_final ++ s390x_keccak_final, + }; + + static PROV_SHA3_METHOD shake_s390x_md = +@@ -235,6 +268,14 @@ static PROV_SHA3_METHOD kmac_s390x_md = + s390x_kmac_final + }; + ++# define SHAKE_SET_MD(uname, typ) \ ++ if (S390_SHA3_CAPABLE(uname)) { \ ++ ctx->pad = S390X_##uname; \ ++ ctx->meth = typ##_s390x_md; \ ++ } else { \ ++ ctx->meth = shake_generic_md; \ ++ } ++ + # define SHA3_SET_MD(uname, typ) \ + if (S390_SHA3_CAPABLE(uname)) { \ + ctx->pad = S390X_##uname; \ +@@ -255,7 +296,7 @@ static PROV_SHA3_METHOD kmac_s390x_md = + static sha3_absorb_fn armsha3_sha3_absorb; + + size_t SHA3_absorb_cext(uint64_t A[5][5], const unsigned char *inp, size_t len, +- size_t r); ++ size_t r); + /*- + * Hardware-assisted ARMv8.2 SHA3 extension version of the absorb() + */ +@@ -271,6 +312,19 @@ static PROV_SHA3_METHOD sha3_ARMSHA3_md + armsha3_sha3_absorb, + generic_sha3_final + }; ++static PROV_SHA3_METHOD shake_ARMSHA3_md = ++{ ++ armsha3_sha3_absorb, ++ generic_sha3_final, ++ generic_sha3_squeeze ++}; ++# define SHAKE_SET_MD(uname, typ) \ ++ if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \ ++ ctx->meth = shake_ARMSHA3_md; \ ++ } else { \ ++ ctx->meth = shake_generic_md; \ ++ } ++ + # define SHA3_SET_MD(uname, typ) \ + if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \ + ctx->meth = sha3_ARMSHA3_md; \ +@@ -286,6 +340,7 @@ static PROV_SHA3_METHOD sha3_ARMSHA3_md + #else + # define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; + # define KMAC_SET_MD(bitlen) ctx->meth = sha3_generic_md; ++# define SHAKE_SET_MD(uname, typ) ctx->meth = shake_generic_md; + #endif /* S390_SHA3 */ + + #define SHA3_newctx(typ, uname, name, bitlen, pad) \ +@@ -302,6 +357,20 @@ static void *name##_newctx(void *provctx + return ctx; \ + } + ++#define SHAKE_newctx(typ, uname, name, bitlen, pad) \ ++static OSSL_FUNC_digest_newctx_fn name##_newctx; \ ++static void *name##_newctx(void *provctx) \ ++{ \ ++ KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx))\ ++ : NULL; \ ++ \ ++ if (ctx == NULL) \ ++ return NULL; \ ++ ossl_sha3_init(ctx, pad, bitlen); \ ++ SHAKE_SET_MD(uname, typ) \ ++ return ctx; \ ++} ++ + #define KMAC_newctx(uname, bitlen, pad) \ + static OSSL_FUNC_digest_newctx_fn uname##_newctx; \ + static void *uname##_newctx(void *provctx) \ +@@ -333,6 +402,7 @@ const OSSL_DISPATCH ossl_##name##_functi + + #define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \ + PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ ++ { OSSL_FUNC_DIGEST_SQUEEZE, (void (*)(void))shake_squeeze }, \ + { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init_params }, \ + { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \ + { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \ +@@ -398,7 +468,7 @@ static int shake_set_ctx_params(void *vc + SHA3_FLAGS) + + #define IMPLEMENT_SHAKE_functions(bitlen) \ +- SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ ++ SHAKE_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ + PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + SHAKE_FLAGS) +Index: openssl-3.2.3/test/build.info +=================================================================== +--- openssl-3.2.3.orig/test/build.info ++++ openssl-3.2.3/test/build.info +@@ -63,7 +63,7 @@ IF[{- !$disabled{tests} -}] + provfetchtest prov_config_test rand_test ca_internals_test \ + bio_tfo_test membio_test bio_dgram_test list_test fips_version_test \ + x509_test hpke_test pairwise_fail_test nodefltctxtest \ +- x509_load_cert_file_test ++ evp_xof_test x509_load_cert_file_test + + IF[{- !$disabled{'rpk'} -}] + PROGRAMS{noinst}=rpktest +@@ -571,6 +571,10 @@ IF[{- !$disabled{tests} -}] + INCLUDE[evp_kdf_test]=../include ../apps/include + DEPEND[evp_kdf_test]=../libcrypto libtestutil.a + ++ SOURCE[evp_xof_test]=evp_xof_test.c ++ INCLUDE[evp_xof_test]=../include ../apps/include ++ DEPEND[evp_xof_test]=../libcrypto libtestutil.a ++ + SOURCE[evp_pkey_dparams_test]=evp_pkey_dparams_test.c + INCLUDE[evp_pkey_dparams_test]=../include ../apps/include + DEPEND[evp_pkey_dparams_test]=../libcrypto libtestutil.a +Index: openssl-3.2.3/test/evp_xof_test.c +=================================================================== +--- /dev/null ++++ openssl-3.2.3/test/evp_xof_test.c +@@ -0,0 +1,492 @@ ++/* ++ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include "testutil.h" ++#include "internal/nelem.h" ++ ++static const unsigned char shake256_input[] = { ++ 0x8d, 0x80, 0x01, 0xe2, 0xc0, 0x96, 0xf1, 0xb8, ++ 0x8e, 0x7c, 0x92, 0x24, 0xa0, 0x86, 0xef, 0xd4, ++ 0x79, 0x7f, 0xbf, 0x74, 0xa8, 0x03, 0x3a, 0x2d, ++ 0x42, 0x2a, 0x2b, 0x6b, 0x8f, 0x67, 0x47, 0xe4 ++}; ++ ++/* ++ * This KAT output is 250 bytes, which is more than ++ * the SHAKE256 block size (136 bytes). ++ */ ++static const unsigned char shake256_output[] = { ++ 0x2e, 0x97, 0x5f, 0x6a, 0x8a, 0x14, 0xf0, 0x70, ++ 0x4d, 0x51, 0xb1, 0x36, 0x67, 0xd8, 0x19, 0x5c, ++ 0x21, 0x9f, 0x71, 0xe6, 0x34, 0x56, 0x96, 0xc4, ++ 0x9f, 0xa4, 0xb9, 0xd0, 0x8e, 0x92, 0x25, 0xd3, ++ 0xd3, 0x93, 0x93, 0x42, 0x51, 0x52, 0xc9, 0x7e, ++ 0x71, 0xdd, 0x24, 0x60, 0x1c, 0x11, 0xab, 0xcf, ++ 0xa0, 0xf1, 0x2f, 0x53, 0xc6, 0x80, 0xbd, 0x3a, ++ 0xe7, 0x57, 0xb8, 0x13, 0x4a, 0x9c, 0x10, 0xd4, ++ 0x29, 0x61, 0x58, 0x69, 0x21, 0x7f, 0xdd, 0x58, ++ 0x85, 0xc4, 0xdb, 0x17, 0x49, 0x85, 0x70, 0x3a, ++ 0x6d, 0x6d, 0xe9, 0x4a, 0x66, 0x7e, 0xac, 0x30, ++ 0x23, 0x44, 0x3a, 0x83, 0x37, 0xae, 0x1b, 0xc6, ++ 0x01, 0xb7, 0x6d, 0x7d, 0x38, 0xec, 0x3c, 0x34, ++ 0x46, 0x31, 0x05, 0xf0, 0xd3, 0x94, 0x9d, 0x78, ++ 0xe5, 0x62, 0xa0, 0x39, 0xe4, 0x46, 0x95, 0x48, ++ 0xb6, 0x09, 0x39, 0x5d, 0xe5, 0xa4, 0xfd, 0x43, ++ 0xc4, 0x6c, 0xa9, 0xfd, 0x6e, 0xe2, 0x9a, 0xda, ++ 0x5e, 0xfc, 0x07, 0xd8, 0x4d, 0x55, 0x32, 0x49, ++ 0x45, 0x0d, 0xab, 0x4a, 0x49, 0xc4, 0x83, 0xde, ++ 0xd2, 0x50, 0xc9, 0x33, 0x8f, 0x85, 0xcd, 0x93, ++ 0x7a, 0xe6, 0x6b, 0xb4, 0x36, 0xf3, 0xb4, 0x02, ++ 0x6e, 0x85, 0x9f, 0xda, 0x1c, 0xa5, 0x71, 0x43, ++ 0x2f, 0x3b, 0xfc, 0x09, 0xe7, 0xc0, 0x3c, 0xa4, ++ 0xd1, 0x83, 0xb7, 0x41, 0x11, 0x1c, 0xa0, 0x48, ++ 0x3d, 0x0e, 0xda, 0xbc, 0x03, 0xfe, 0xb2, 0x3b, ++ 0x17, 0xee, 0x48, 0xe8, 0x44, 0xba, 0x24, 0x08, ++ 0xd9, 0xdc, 0xfd, 0x01, 0x39, 0xd2, 0xe8, 0xc7, ++ 0x31, 0x01, 0x25, 0xae, 0xe8, 0x01, 0xc6, 0x1a, ++ 0xb7, 0x90, 0x0d, 0x1e, 0xfc, 0x47, 0xc0, 0x78, ++ 0x28, 0x17, 0x66, 0xf3, 0x61, 0xc5, 0xe6, 0x11, ++ 0x13, 0x46, 0x23, 0x5e, 0x1d, 0xc3, 0x83, 0x25, ++ 0x66, 0x6c ++}; ++ ++static const unsigned char shake256_largemsg_input[] = { ++ 0xb2, 0xd2, 0x38, 0x65, 0xaf, 0x8f, 0x25, 0x6e, ++ 0x64, 0x40, 0xe2, 0x0d, 0x49, 0x8e, 0x3e, 0x64, ++ 0x46, 0xd2, 0x03, 0xa4, 0x19, 0xe3, 0x7b, 0x80, ++ 0xf7, 0x2b, 0x32, 0xe2, 0x76, 0x01, 0xfe, 0xdd, ++ 0xaa, 0x33, 0x3d, 0xe4, 0x8e, 0xe1, 0x5e, 0x39, ++ 0xa6, 0x92, 0xa3, 0xa7, 0xe3, 0x81, 0x24, 0x74, ++ 0xc7, 0x38, 0x18, 0x92, 0xc9, 0x60, 0x50, 0x15, ++ 0xfb, 0xd8, 0x04, 0xea, 0xea, 0x04, 0xd2, 0xc5, ++ 0xc6, 0x68, 0x04, 0x5b, 0xc3, 0x75, 0x12, 0xd2, ++ 0xbe, 0xa2, 0x67, 0x75, 0x24, 0xbf, 0x68, 0xad, ++ 0x10, 0x86, 0xb3, 0x2c, 0xb3, 0x74, 0xa4, 0x6c, ++ 0xf9, 0xd7, 0x1e, 0x58, 0x69, 0x27, 0x88, 0x49, ++ 0x4e, 0x99, 0x15, 0x33, 0x14, 0xf2, 0x49, 0x21, ++ 0xf4, 0x99, 0xb9, 0xde, 0xd4, 0xf1, 0x12, 0xf5, ++ 0x68, 0xe5, 0x5c, 0xdc, 0x9e, 0xc5, 0x80, 0x6d, ++ 0x39, 0x50, 0x08, 0x95, 0xbb, 0x12, 0x27, 0x50, ++ 0x89, 0xf0, 0xf9, 0xd5, 0x4a, 0x01, 0x0b, 0x0d, ++ 0x90, 0x9f, 0x1e, 0x4a, 0xba, 0xbe, 0x28, 0x36, ++ 0x19, 0x7d, 0x9c, 0x0a, 0x51, 0xfb, 0xeb, 0x00, ++ 0x02, 0x6c, 0x4b, 0x0a, 0xa8, 0x6c, 0xb7, 0xc4, ++ 0xc0, 0x92, 0x37, 0xa7, 0x2d, 0x49, 0x61, 0x80, ++ 0xd9, 0xdb, 0x20, 0x21, 0x9f, 0xcf, 0xb4, 0x57, ++ 0x69, 0x75, 0xfa, 0x1c, 0x95, 0xbf, 0xee, 0x0d, ++ 0x9e, 0x52, 0x6e, 0x1e, 0xf8, 0xdd, 0x41, 0x8c, ++ 0x3b, 0xaa, 0x57, 0x13, 0x84, 0x73, 0x52, 0x62, ++ 0x18, 0x76, 0x46, 0xcc, 0x4b, 0xcb, 0xbd, 0x40, ++ 0xa1, 0xf6, 0xff, 0x7b, 0x32, 0xb9, 0x90, 0x7c, ++ 0x53, 0x2c, 0xf9, 0x38, 0x72, 0x0f, 0xcb, 0x90, ++ 0x42, 0x5e, 0xe2, 0x80, 0x19, 0x26, 0xe7, 0x99, ++ 0x96, 0x98, 0x18, 0xb1, 0x86, 0x5b, 0x4c, 0xd9, ++ 0x08, 0x27, 0x31, 0x8f, 0xf0, 0x90, 0xd9, 0x35, ++ 0x6a, 0x1f, 0x75, 0xc2, 0xe0, 0xa7, 0x60, 0xb8, ++ 0x1d, 0xd6, 0x5f, 0x56, 0xb2, 0x0b, 0x27, 0x0e, ++ 0x98, 0x67, 0x1f, 0x39, 0x18, 0x27, 0x68, 0x0a, ++ 0xe8, 0x31, 0x1b, 0xc0, 0x97, 0xec, 0xd1, 0x20, ++ 0x2a, 0x55, 0x69, 0x23, 0x08, 0x50, 0x05, 0xec, ++ 0x13, 0x3b, 0x56, 0xfc, 0x18, 0xc9, 0x1a, 0xa9, ++ 0x69, 0x0e, 0xe2, 0xcc, 0xc8, 0xd6, 0x19, 0xbb, ++ 0x87, 0x3b, 0x42, 0x77, 0xee, 0x77, 0x81, 0x26, ++ 0xdd, 0xf6, 0x5d, 0xc3, 0xb2, 0xb0, 0xc4, 0x14, ++ 0x6d, 0xb5, 0x4f, 0xdc, 0x13, 0x09, 0xc8, 0x53, ++ 0x50, 0xb3, 0xea, 0xd3, 0x5f, 0x11, 0x67, 0xd4, ++ 0x2f, 0x6e, 0x30, 0x1a, 0xbe, 0xd6, 0xf0, 0x2d, ++ 0xc9, 0x29, 0xd9, 0x0a, 0xa8, 0x6f, 0xa4, 0x18, ++ 0x74, 0x6b, 0xd3, 0x5d, 0x6a, 0x73, 0x3a, 0xf2, ++ 0x94, 0x7f, 0xbd, 0xb4, 0xa6, 0x7f, 0x5b, 0x3d, ++ 0x26, 0xf2, 0x6c, 0x13, 0xcf, 0xb4, 0x26, 0x1e, ++ 0x38, 0x17, 0x66, 0x60, 0xb1, 0x36, 0xae, 0xe0, ++ 0x6d, 0x86, 0x69, 0xe7, 0xe7, 0xae, 0x77, 0x6f, ++ 0x7e, 0x99, 0xe5, 0xd9, 0x62, 0xc9, 0xfc, 0xde, ++ 0xb4, 0xee, 0x7e, 0xc8, 0xe9, 0xb7, 0x2c, 0xe2, ++ 0x70, 0xe8, 0x8b, 0x2d, 0x94, 0xad, 0xe8, 0x54, ++ 0xa3, 0x2d, 0x9a, 0xe2, 0x50, 0x63, 0x87, 0xb3, ++ 0x56, 0x29, 0xea, 0xa8, 0x5e, 0x96, 0x53, 0x9f, ++ 0x23, 0x8a, 0xef, 0xa3, 0xd4, 0x87, 0x09, 0x5f, ++ 0xba, 0xc3, 0xd1, 0xd9, 0x1a, 0x7b, 0x5c, 0x5d, ++ 0x5d, 0x89, 0xed, 0xb6, 0x6e, 0x39, 0x73, 0xa5, ++ 0x64, 0x59, 0x52, 0x8b, 0x61, 0x8f, 0x66, 0x69, ++ 0xb9, 0xf0, 0x45, 0x0a, 0x57, 0xcd, 0xc5, 0x7f, ++ 0x5d, 0xd0, 0xbf, 0xcc, 0x0b, 0x48, 0x12, 0xe1, ++ 0xe2, 0xc2, 0xea, 0xcc, 0x09, 0xd9, 0x42, 0x2c, ++ 0xef, 0x4f, 0xa7, 0xe9, 0x32, 0x5c, 0x3f, 0x22, ++ 0xc0, 0x45, 0x0b, 0x67, 0x3c, 0x31, 0x69, 0x29, ++ 0xa3, 0x39, 0xdd, 0x6e, 0x2f, 0xbe, 0x10, 0xc9, ++ 0x7b, 0xff, 0x19, 0x8a, 0xe9, 0xea, 0xfc, 0x32, ++ 0x41, 0x33, 0x70, 0x2a, 0x9a, 0xa4, 0xe6, 0xb4, ++ 0x7e, 0xb4, 0xc6, 0x21, 0x49, 0x5a, 0xfc, 0x45, ++ 0xd2, 0x23, 0xb3, 0x28, 0x4d, 0x83, 0x60, 0xfe, ++ 0x70, 0x68, 0x03, 0x59, 0xd5, 0x15, 0xaa, 0x9e, ++ 0xa0, 0x2e, 0x36, 0xb5, 0x61, 0x0f, 0x61, 0x05, ++ 0x3c, 0x62, 0x00, 0xa0, 0x47, 0xf1, 0x86, 0xba, ++ 0x33, 0xb8, 0xca, 0x60, 0x2f, 0x3f, 0x0a, 0x67, ++ 0x09, 0x27, 0x2f, 0xa2, 0x96, 0x02, 0x52, 0x58, ++ 0x55, 0x68, 0x80, 0xf4, 0x4f, 0x47, 0xba, 0xff, ++ 0x41, 0x7a, 0x40, 0x4c, 0xfd, 0x9d, 0x10, 0x72, ++ 0x0e, 0x20, 0xa9, 0x7f, 0x9b, 0x9b, 0x14, 0xeb, ++ 0x8e, 0x61, 0x25, 0xcb, 0xf4, 0x58, 0xff, 0x47, ++ 0xa7, 0x08, 0xd6, 0x4e, 0x2b, 0xf1, 0xf9, 0x89, ++ 0xd7, 0x22, 0x0f, 0x8d, 0x35, 0x07, 0xa0, 0x54, ++ 0xab, 0x83, 0xd8, 0xee, 0x5a, 0x3e, 0x88, 0x74, ++ 0x46, 0x41, 0x6e, 0x3e, 0xb7, 0xc0, 0xb6, 0x55, ++ 0xe0, 0x36, 0xc0, 0x2b, 0xbf, 0xb8, 0x24, 0x8a, ++ 0x44, 0x82, 0xf4, 0xcb, 0xb5, 0xd7, 0x41, 0x48, ++ 0x51, 0x08, 0xe0, 0x14, 0x34, 0xd2, 0x6d, 0xe9, ++ 0x7a, 0xec, 0x91, 0x61, 0xa7, 0xe1, 0x81, 0x69, ++ 0x47, 0x1c, 0xc7, 0xf3 ++}; ++ ++static const unsigned char shake256_largemsg_output[] = { ++ 0x64, 0xea, 0x24, 0x6a, 0xab, 0x80, 0x37, 0x9e, ++ 0x08, 0xe2, 0x19, 0x9e, 0x09, 0x69, 0xe2, 0xee, ++ 0x1a, 0x5d, 0xd1, 0x68, 0x68, 0xec, 0x8d, 0x42, ++ 0xd0, 0xf8, 0xb8, 0x44, 0x74, 0x54, 0x87, 0x3e, ++}; ++ ++static EVP_MD_CTX *shake_setup(const char *name) ++{ ++ EVP_MD_CTX *ctx = NULL; ++ EVP_MD *md = NULL; ++ ++ if (!TEST_ptr(md = EVP_MD_fetch(NULL, name, NULL))) ++ return NULL; ++ ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto err; ++ if (!TEST_true(EVP_DigestInit_ex2(ctx, md, NULL))) ++ goto err; ++ EVP_MD_free(md); ++ return ctx; ++err: ++ EVP_MD_free(md); ++ EVP_MD_CTX_free(ctx); ++ return NULL; ++} ++ ++static int shake_kat_test(void) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_output)]; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ if (!TEST_true(EVP_DigestUpdate(ctx, shake256_input, ++ sizeof(shake256_input))) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))) ++ || !TEST_mem_eq(out, sizeof(out), ++ shake256_output,sizeof(shake256_output)) ++ /* Test that a second call to EVP_DigestFinalXOF fails */ ++ || !TEST_false(EVP_DigestFinalXOF(ctx, out, sizeof(out))) ++ /* Test that a call to EVP_DigestSqueeze fails */ ++ || !TEST_false(EVP_DigestSqueeze(ctx, out, sizeof(out)))) ++ goto err; ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++static int shake_kat_digestfinal_test(void) ++{ ++ int ret = 0; ++ unsigned int digest_length = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_output)]; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ if (!TEST_true(EVP_DigestUpdate(ctx, shake256_input, ++ sizeof(shake256_input))) ++ || !TEST_true(EVP_DigestFinal(ctx, out, &digest_length)) ++ || !TEST_uint_eq(digest_length, 32) ++ || !TEST_mem_eq(out, digest_length, ++ shake256_output, digest_length) ++ || !TEST_false(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++/* ++ * Test that EVP_DigestFinal() returns the output length ++ * set by the OSSL_DIGEST_PARAM_XOFLEN param. ++ */ ++static int shake_kat_digestfinal_xoflen_test(void) ++{ ++ int ret = 0; ++ unsigned int digest_length = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_output)]; ++ OSSL_PARAM params[2]; ++ size_t sz = 12; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ ++ memset(out, 0, sizeof(out)); ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &sz); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (!TEST_int_eq(EVP_MD_CTX_set_params(ctx, params), 1) ++ || !TEST_true(EVP_DigestUpdate(ctx, shake256_input, ++ sizeof(shake256_input))) ++ || !TEST_true(EVP_DigestFinal(ctx, out, &digest_length)) ++ || !TEST_uint_eq(digest_length, (unsigned int)sz) ++ || !TEST_mem_eq(out, digest_length, ++ shake256_output, digest_length) ++ || !TEST_uchar_eq(out[digest_length], 0)) ++ goto err; ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++/* ++ * Test that multiple absorb calls gives the expected result. ++ * This is a nested test that uses multiple strides for the input. ++ */ ++static int shake_absorb_test(void) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_largemsg_output)]; ++ size_t total = sizeof(shake256_largemsg_input); ++ size_t i, stride, sz; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ ++ for (stride = 1; stride < total; ++stride) { ++ sz = 0; ++ for (i = 0; i < total; i += sz) { ++ sz += stride; ++ if ((i + sz) > total) ++ sz = total - i; ++ if (!TEST_true(EVP_DigestUpdate(ctx, shake256_largemsg_input + i, ++ sz))) ++ goto err; ++ } ++ if (!TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))) ++ || !TEST_mem_eq(out, sizeof(out), ++ shake256_largemsg_output, ++ sizeof(shake256_largemsg_output))) ++ goto err; ++ if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL))) ++ goto err; ++ } ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++/* ++ * Table containing the size of the output to squeeze for the ++ * initially call, followed by a size for each subsequent call. ++ */ ++static const struct { ++ size_t startsz, incsz; ++} stride_tests[] = { ++ { 1, 1 }, ++ { 1, 136 }, ++ { 1, 136/2 }, ++ { 1, 136/2-1 }, ++ { 1, 136/2+1 }, ++ { 1, 136*3 }, ++ { 8, 8 }, ++ { 9, 9 }, ++ { 10, 10 }, ++ { 136/2 - 1, 136 }, ++ { 136/2 - 1, 136-1 }, ++ { 136/2 - 1, 136+1 }, ++ { 136/2, 136 }, ++ { 136/2, 136-1 }, ++ { 136/2, 136+1 }, ++ { 136/2 + 1, 136 }, ++ { 136/2 + 1, 136-1 }, ++ { 136/2 + 1, 136+1 }, ++ { 136, 2 }, ++ { 136, 136 }, ++ { 136-1, 136 }, ++ { 136-1, 136-1 }, ++ { 136-1, 136+1 }, ++ { 136+1, 136 }, ++ { 136+1, 136-1 }, ++ { 136+1, 136+1 }, ++ { 136*3, 136 }, ++ { 136*3, 136 + 1 }, ++ { 136*3, 136 - 1 }, ++ { 136*3, 136/2 }, ++ { 136*3, 136/2 + 1 }, ++ { 136*3, 136/2 - 1 }, ++}; ++ ++/* ++ * Helper to do multiple squeezes of output data using SHAKE256. ++ * tst is an index into the stride_tests[] containing an initial starting ++ * output length, followed by a second output length to use for all remaining ++ * squeezes. expected_outlen contains the total number of bytes to squeeze. ++ * in and inlen represent the input to absorb. expected_out and expected_outlen ++ * represent the expected output. ++ */ ++static int do_shake_squeeze_test(int tst, ++ const unsigned char *in, size_t inlen, ++ const unsigned char *expected_out, ++ size_t expected_outlen) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char *out = NULL; ++ size_t i = 0, sz = stride_tests[tst].startsz; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ if (!TEST_ptr(out = OPENSSL_malloc(expected_outlen))) ++ goto err; ++ if (!TEST_true(EVP_DigestUpdate(ctx, in, inlen))) ++ goto err; ++ ++ while (i < expected_outlen) { ++ if ((i + sz) > expected_outlen) ++ sz = expected_outlen - i; ++ if (!TEST_true(EVP_DigestSqueeze(ctx, out + i, sz))) ++ goto err; ++ i += sz; ++ sz = stride_tests[tst].incsz; ++ } ++ if (!TEST_mem_eq(out, expected_outlen, expected_out, expected_outlen)) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_free(out); ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++static int shake_squeeze_kat_test(int tst) ++{ ++ return do_shake_squeeze_test(tst, shake256_input, sizeof(shake256_input), ++ shake256_output, sizeof(shake256_output)); ++} ++ ++/* ++ * Generate some random input to absorb, and then ++ * squeeze it out in one operation to get a expected ++ * output. Use this to test that multiple squeeze calls ++ * on the same input gives the same output. ++ */ ++static int shake_squeeze_large_test(int tst) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char msg[16]; ++ unsigned char out[2000]; ++ ++ if (!TEST_int_gt(RAND_bytes(msg, sizeof(msg)), 0) ++ || !TEST_ptr(ctx = shake_setup("SHAKE256")) ++ || !TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg))) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ++ ret = do_shake_squeeze_test(tst, msg, sizeof(msg), out, sizeof(out)); ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++static const size_t dupoffset_tests[] = { ++ 1, 135, 136, 137, 136*3-1, 136*3, 136*3+1 ++}; ++ ++/* Helper function to test that EVP_MD_CTX_dup() copies the internal state */ ++static int do_shake_squeeze_dup_test(int tst, const char *alg, ++ const unsigned char *in, size_t inlen, ++ const unsigned char *expected_out, ++ size_t expected_outlen) ++{ ++ int ret = 0; ++ EVP_MD_CTX *cur, *ctx = NULL, *dupctx = NULL; ++ unsigned char *out = NULL; ++ size_t i = 0, sz = 10; ++ size_t dupoffset = dupoffset_tests[tst]; ++ ++ if (!TEST_ptr(ctx = shake_setup(alg))) ++ return 0; ++ cur = ctx; ++ if (!TEST_ptr(out = OPENSSL_malloc(expected_outlen))) ++ goto err; ++ if (!TEST_true(EVP_DigestUpdate(ctx, in, inlen))) ++ goto err; ++ ++ while (i < expected_outlen) { ++ if ((i + sz) > expected_outlen) ++ sz = expected_outlen - i; ++ if (!TEST_true(EVP_DigestSqueeze(cur, out + i, sz))) ++ goto err; ++ i += sz; ++ /* At a certain offset we swap to a new ctx that copies the state */ ++ if (dupctx == NULL && i >= dupoffset) { ++ if (!TEST_ptr(dupctx = EVP_MD_CTX_dup(ctx))) ++ goto err; ++ cur = dupctx; ++ } ++ } ++ if (!TEST_mem_eq(out, expected_outlen, expected_out, expected_outlen)) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_free(out); ++ EVP_MD_CTX_free(ctx); ++ EVP_MD_CTX_free(dupctx); ++ return ret; ++} ++ ++/* Test that the internal state can be copied */ ++static int shake_squeeze_dup_test(int tst) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char msg[16]; ++ unsigned char out[1000]; ++ const char *alg = "SHAKE128"; ++ ++ if (!TEST_int_gt(RAND_bytes(msg, sizeof(msg)), 0) ++ || !TEST_ptr(ctx = shake_setup(alg)) ++ || !TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg))) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ++ ret = do_shake_squeeze_dup_test(tst, alg, msg, sizeof(msg), ++ out, sizeof(out)); ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++int setup_tests(void) ++{ ++ ADD_TEST(shake_kat_test); ++ ADD_TEST(shake_kat_digestfinal_test); ++ ADD_TEST(shake_kat_digestfinal_xoflen_test); ++ ADD_TEST(shake_absorb_test); ++ ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests)); ++ ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests)); ++ ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests)); ++ return 1; ++} +Index: openssl-3.2.3/test/recipes/30-test_evp_xof.t +=================================================================== +--- /dev/null ++++ openssl-3.2.3/test/recipes/30-test_evp_xof.t +@@ -0,0 +1,12 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++ ++use OpenSSL::Test::Simple; ++ ++simple_test("test_evp_xof", "evp_xof_test"); +Index: openssl-3.2.3/util/libcrypto.num +=================================================================== +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5536,6 +5536,7 @@ X509_STORE_CTX_set_get_crl + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++EVP_DigestSqueeze ? 3_2_0 EXIST::FUNCTION: + ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff --git a/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch b/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch new file mode 100644 index 0000000..26523be --- /dev/null +++ b/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch @@ -0,0 +1,90 @@ +commit a75d62637aa165a7f37e39a3a36e2a8b089913bc +Author: Ingo Franzki +Date: Mon Aug 26 11:26:03 2024 +0200 + + s390x: Disable HMAC hardware acceleration when an engine is used for the digest + + The TLSProxy uses the 'ossltest' engine to produce known output for digests + and HMAC calls. However, when running on a s390x system that supports + hardware acceleration of HMAC, the engine is not used for calculating HMACs, + but the s390x specific HMAC implementation is used, which does produce correct + output, but not the known output that the engine would produce. This causes + some tests (i.e. test_key_share, test_sslextension, test_sslrecords, + test_sslvertol, and test_tlsextms) to fail. + + Disable the s390x HMAC hardware acceleration if an engine is used for the + digest of the HMAC calculation. This provides compatibility for engines that + provide digest implementations, and assume that these implementations are also + used when calculating an HMAC. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Neil Horman + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25287) + +diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c +index 5db7e9a221..02e1cd1dd6 100644 +--- a/crypto/hmac/hmac_s390x.c ++++ b/crypto/hmac/hmac_s390x.c +@@ -7,10 +7,16 @@ + * https://www.openssl.org/source/license.html + */ + ++/* We need to use some engine deprecated APIs */ ++#define OPENSSL_SUPPRESS_DEPRECATED ++ + #include "crypto/s390x_arch.h" + #include "hmac_local.h" + #include "openssl/obj_mac.h" + #include "openssl/evp.h" ++#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) ++# include ++#endif + + #ifdef OPENSSL_HMAC_S390X + +@@ -63,6 +69,31 @@ static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len) + ctx->plat.s390x.ikp = 1; + } + ++static int s390x_check_engine_used(const EVP_MD *md, ENGINE *impl) ++{ ++# if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) ++ const EVP_MD *d; ++ ++ if (impl != NULL) { ++ if (!ENGINE_init(impl)) ++ return 0; ++ } else { ++ impl = ENGINE_get_digest_engine(EVP_MD_get_type(md)); ++ } ++ ++ if (impl == NULL) ++ return 0; ++ ++ d = ENGINE_get_digest(impl, EVP_MD_get_type(md)); ++ ENGINE_finish(impl); ++ ++ if (d != NULL) ++ return 1; ++# endif ++ ++ return 0; ++} ++ + int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl) + { + unsigned char *key_param; +@@ -72,6 +103,11 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl) + if (ctx->plat.s390x.fc == 0) + return -1; /* Not supported by kmac instruction */ + ++ if (s390x_check_engine_used(ctx->md, impl)) { ++ ctx->plat.s390x.fc = 0; ++ return -1; /* An engine handles the digest, disable acceleration */ ++ } ++ + ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md); + if (ctx->plat.s390x.blk_size < 0) + return 0; diff --git a/openssl-3-fix-hmac-digest-detection-s390x.patch b/openssl-3-fix-hmac-digest-detection-s390x.patch new file mode 100644 index 0000000..7e2d4e5 --- /dev/null +++ b/openssl-3-fix-hmac-digest-detection-s390x.patch @@ -0,0 +1,49 @@ +commit d5b3c0e24bc56614e92ffafdd705622beaef420a +Author: Ingo Franzki +Date: Wed Aug 28 14:56:33 2024 +0200 + + s390x: Fix HMAC digest detection + + Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest + type. EVP_MD_get_type() does not always return the expected NID, e.g. + when running in the FIPS provider, EVP_MD_get_type() returns zero, + causing to skip the HMAC acceleration path. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25304) + +diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c +index 8b0da0d59d..5db7e9a221 100644 +--- a/crypto/hmac/hmac_s390x.c ++++ b/crypto/hmac/hmac_s390x.c +@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md) + { + int fc; + +- switch (EVP_MD_get_type(md)) { +- case NID_sha224: ++ if (EVP_MD_is_a(md, "SHA2-224")) + fc = S390X_HMAC_SHA_224; +- break; +- case NID_sha256: ++ else if (EVP_MD_is_a(md, "SHA2-256")) + fc = S390X_HMAC_SHA_256; +- break; +- case NID_sha384: ++ else if (EVP_MD_is_a(md, "SHA2-384")) + fc = S390X_HMAC_SHA_384; +- break; +- case NID_sha512: ++ else if (EVP_MD_is_a(md, "SHA2-512")) + fc = S390X_HMAC_SHA_512; +- break; +- default: ++ else + return 0; +- } + + if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0) + return 0; diff --git a/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch b/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch new file mode 100644 index 0000000..452f5e0 --- /dev/null +++ b/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch @@ -0,0 +1,28 @@ +commit 19b87d2d2b022c20dd9043c3b6d021315011b45f +Author: Ingo Franzki +Date: Tue Aug 20 11:35:20 2024 +0200 + + s390x: Fix memory leak in s390x_HMAC_CTX_copy() + + When s390x_HMAC_CTX_copy() is called, but the destination context already + has a buffer allocated, it is not freed before duplicating the buffer from + the source context. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Shane Lontis + (Merged from https://github.com/openssl/openssl/pull/25238) + +diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c +index 1124d9bc5d..8b0da0d59d 100644 +--- a/crypto/hmac/hmac_s390x.c ++++ b/crypto/hmac/hmac_s390x.c +@@ -263,6 +263,7 @@ int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) + memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param, + sizeof(dctx->plat.s390x.param)); + ++ OPENSSL_clear_free(dctx->plat.s390x.buf, dctx->plat.s390x.size); + dctx->plat.s390x.buf = NULL; + if (sctx->plat.s390x.buf != NULL) { + dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf, diff --git a/openssl-3-fix-quic_multistream_test.patch b/openssl-3-fix-quic_multistream_test.patch new file mode 100644 index 0000000..fb1102b --- /dev/null +++ b/openssl-3-fix-quic_multistream_test.patch @@ -0,0 +1,25 @@ +From b5795e3ed3ec38ef4686a5b7ff03bfd60183cb71 Mon Sep 17 00:00:00 2001 +From: "Randall S. Becker" +Date: Mon, 20 May 2024 22:23:04 +0000 +Subject: [PATCH] Added an explicit yield (OP_SLEEP) to QUIC testing for + cooperative threading. + +Fixes: #24442 + +Signed-off-by: Randall S. Becker +--- + test/quic_multistream_test.c | 1 + + 1 file changed, 1 insertion(+) + +Index: openssl-3.2.3/test/quic_multistream_test.c +=================================================================== +--- openssl-3.2.3.orig/test/quic_multistream_test.c ++++ openssl-3.2.3/test/quic_multistream_test.c +@@ -2397,6 +2397,7 @@ static const struct script_op script_13_ + + OP_C_ACCEPT_STREAM_WAIT (a) + OP_C_READ_EXPECT (a, "foo", 3) ++ OP_SLEEP (10) + OP_C_EXPECT_FIN (a) + OP_C_FREE_STREAM (a) + diff --git a/openssl-3-fix-s390x_sha3_absorb.patch b/openssl-3-fix-s390x_sha3_absorb.patch new file mode 100644 index 0000000..b7bf778 --- /dev/null +++ b/openssl-3-fix-s390x_sha3_absorb.patch @@ -0,0 +1,50 @@ +From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 5 Sep 2024 08:45:29 +0200 +Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by + KIMD + +If the data to absorb is less than a block, then the KIMD instruction is +called with zero bytes. This is superfluous, and causes incorrect hash +output later on if this is the very first absorb call, i.e. when the +xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case +the NIP flag is set in the function code for KIMD, but KIMD ignores the +NIP flag when it is called with zero bytes to process. + +Skip any KIMD calls for zero length data. Also do not set the xof_state +to XOF_STATE_ABSORB until the first call to KIMD with data. That way, +the next KIMD (with non-zero length data) or KLMD call will get the NIP +flag set and will then honor it to produce correct output. + +Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 + +Signed-off-by: Ingo Franzki + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25388) +--- + providers/implementations/digests/sha3_prov.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; +- fc = ctx->pad; +- fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; +- ctx->xof_state = XOF_STATE_ABSORB; +- s390x_kimd(inp, len - rem, fc, ctx->A); ++ if (len - rem > 0) { ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; ++ ctx->xof_state = XOF_STATE_ABSORB; ++ s390x_kimd(inp, len - rem, fc, ctx->A); ++ } + return rem; + } + diff --git a/openssl-3-fix-s390x_shake_squeeze.patch b/openssl-3-fix-s390x_shake_squeeze.patch new file mode 100644 index 0000000..a2757ed --- /dev/null +++ b/openssl-3-fix-s390x_shake_squeeze.patch @@ -0,0 +1,98 @@ +From dc5afb7e87ee448f4fecad0dc624c643505ba7f1 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 4 Sep 2024 13:42:09 +0200 +Subject: [PATCH] s390x: Fix s390x_shake_squeeze() when MSA 12 is available + +On the first squeeze call, when finishing the absorb process, also set +the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is +available, the state buffer A has not been zeroed during initialization, +thus we must also pass the NIP flag here. This situation can happen +when a squeeze is performed without a preceding absorb (i.e. a SHAKE +of the empty message). + +Add a test that performs a squeeze without a preceding absorb and check +if the result is correct. + +Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 + +Signed-off-by: Ingo Franzki + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25388) +--- + providers/implementations/digests/sha3_prov.c | 5 +++- + test/evp_xof_test.c | 29 +++++++++++++++++++ + 2 files changed, 33 insertions(+), 1 deletion(-) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -239,6 +239,7 @@ static int s390x_shake_final(void *vctx, + static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; ++ unsigned int fc; + size_t len; + + if (!ossl_prov_is_running()) +@@ -249,8 +250,10 @@ static int s390x_shake_squeeze(void *vct + * On the first squeeze call, finish the absorb process (incl. padding). + */ + if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0; + ctx->xof_state = XOF_STATE_SQUEEZE; +- s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A); + ctx->bufsz = outlen % ctx->block_size; + /* reuse ctx->bufsz to count bytes squeezed from current sponge */ + return 1; +Index: openssl-3.2.3/test/evp_xof_test.c +=================================================================== +--- openssl-3.2.3.orig/test/evp_xof_test.c ++++ openssl-3.2.3/test/evp_xof_test.c +@@ -479,6 +479,34 @@ err: + return ret; + } + ++/* Test that a squeeze without a preceding absorb works */ ++static int shake_squeeze_no_absorb_test(void) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[1000]; ++ unsigned char out2[1000]; ++ const char *alg = "SHAKE128"; ++ ++ if (!TEST_ptr(ctx = shake_setup(alg)) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ++ if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL)) ++ || !TEST_true(EVP_DigestSqueeze(ctx, out2, sizeof(out2) / 2)) ++ || !TEST_true(EVP_DigestSqueeze(ctx, out2 + sizeof(out2) / 2, ++ sizeof(out2) / 2))) ++ goto err; ++ ++ if (!TEST_mem_eq(out2, sizeof(out2), out, sizeof(out))) ++ goto err; ++ ret = 1; ++ ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ + int setup_tests(void) + { + ADD_TEST(shake_kat_test); +@@ -488,5 +516,7 @@ int setup_tests(void) + ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests)); + ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests)); + ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests)); ++ ADD_TEST(shake_squeeze_no_absorb_test); ++ + return 1; + } diff --git a/openssl-3-fix-sha3-squeeze-ppc64.patch b/openssl-3-fix-sha3-squeeze-ppc64.patch new file mode 100644 index 0000000..cedf5f2 --- /dev/null +++ b/openssl-3-fix-sha3-squeeze-ppc64.patch @@ -0,0 +1,31 @@ +commit ed5e478261127cafe9c3f86c4992eab1e5c7ebb1 +Author: Rohan McLure +Date: Tue Nov 14 14:14:33 2023 +1100 + + ppc64: Fix SHA3_squeeze + + Fix the conditional on the 'next' parameter passed into SHA3_squeeze. + + Reported-by: David Benjamin + Signed-off-by: Rohan McLure + + Reviewed-by: Shane Lontis + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22722) + +diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl +index 3f8ba817f8..fe7d6db20e 100755 +--- a/crypto/sha/asm/keccak1600-ppc64.pl ++++ b/crypto/sha/asm/keccak1600-ppc64.pl +@@ -668,8 +668,8 @@ SHA3_squeeze: + subi $out,r4,1 ; prepare for stbu + mr $len,r5 + mr $bsz,r6 +- ${UCMP}i r7,1 ; r7 = 'next' argument +- blt .Lnext_block ++ ${UCMP}i r7,0 ; r7 = 'next' argument ++ bne .Lnext_block + b .Loop_squeeze + + .align 4 diff --git a/openssl-3-fix-state-handling-keccak_final_s390x.patch b/openssl-3-fix-state-handling-keccak_final_s390x.patch new file mode 100644 index 0000000..7f68786 --- /dev/null +++ b/openssl-3-fix-state-handling-keccak_final_s390x.patch @@ -0,0 +1,32 @@ +commit 1022131d16e30cfbf896e02419019de48e8e1149 +Author: Holger Dengler +Date: Wed Sep 27 15:43:18 2023 +0200 + + Fix state handling of keccak_final for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_keccac_final() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c +index 34620cf95a..f691273baf 100644 +--- a/providers/implementations/digests/sha3_prov.c ++++ b/providers/implementations/digests/sha3_prov.c +@@ -235,6 +235,10 @@ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen, + + if (!ossl_prov_is_running()) + return 0; ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_FINAL; + if (outlen == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); diff --git a/openssl-3-fix-state-handling-sha3_absorb_s390x.patch b/openssl-3-fix-state-handling-sha3_absorb_s390x.patch new file mode 100644 index 0000000..35b0b30 --- /dev/null +++ b/openssl-3-fix-state-handling-sha3_absorb_s390x.patch @@ -0,0 +1,32 @@ +commit 7aa45b8bb3269e881d0378aa785ff344efdd2897 +Author: Holger Dengler +Date: Wed Sep 27 15:36:23 2023 +0200 + + Fix state handling of sha3_absorb for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_sha3_aborb() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -188,6 +188,10 @@ static size_t s390x_sha3_absorb(void *vc + KECCAK1600_CTX *ctx = vctx; + size_t rem = len % ctx->block_size; + ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_ABSORB; + s390x_kimd(inp, len - rem, ctx->pad, ctx->A); + return rem; + } diff --git a/openssl-3-fix-state-handling-sha3_final_s390x.patch b/openssl-3-fix-state-handling-sha3_final_s390x.patch new file mode 100644 index 0000000..2752a90 --- /dev/null +++ b/openssl-3-fix-state-handling-sha3_final_s390x.patch @@ -0,0 +1,32 @@ +commit 017acc58f6b67d5b347db411a7a1c4e890434f42 +Author: Holger Dengler +Date: Wed Sep 27 15:36:59 2023 +0200 + + Fix state handling of sha3_final for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_sha3_final() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -202,6 +202,10 @@ static int s390x_sha3_final(void *vctx, + + if (!ossl_prov_is_running()) + return 0; ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_FINAL; + s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); + memcpy(out, ctx->A, outlen); + return 1; diff --git a/openssl-3-fix-state-handling-shake_final_s390x.patch b/openssl-3-fix-state-handling-shake_final_s390x.patch new file mode 100644 index 0000000..51a52ce --- /dev/null +++ b/openssl-3-fix-state-handling-shake_final_s390x.patch @@ -0,0 +1,32 @@ +commit 288fbb4b71343516cee6f6a44b9ec55d82fb1532 +Author: Holger Dengler +Date: Wed Sep 27 15:37:29 2023 +0200 + + Fix state handling of shake_final for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_shake_final() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -217,6 +217,10 @@ static int s390x_shake_final(void *vctx, + + if (!ossl_prov_is_running()) + return 0; ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_FINAL; + s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); + return 1; + } diff --git a/openssl-3-hw-acceleration-aes-xts-s390x.patch b/openssl-3-hw-acceleration-aes-xts-s390x.patch new file mode 100644 index 0000000..ddef97f --- /dev/null +++ b/openssl-3-hw-acceleration-aes-xts-s390x.patch @@ -0,0 +1,327 @@ +commit 9cd4051e47c8da8398f93f42f0f56750552965f4 +Author: Holger Dengler +Date: Tue Aug 6 14:00:49 2024 +0200 + + s390x: Add hardware acceleration for full AES-XTS + + The CPACF instruction KM provides support for accelerating the full + AES-XTS algorithm on newer machines for AES_XTS_128 and AES_XTS_256. + + Preliminary measurements showed performance improvements of up to 50%, + dependent on the message size. + + Signed-off-by: Holger Dengler + + Reviewed-by: Tomas Mraz + Reviewed-by: Paul Dale + (Merged from https://github.com/openssl/openssl/pull/25414) + +diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info +index 5eb705969f..1837070c21 100644 +--- a/providers/implementations/ciphers/build.info ++++ b/providers/implementations/ciphers/build.info +@@ -71,6 +71,19 @@ IF[{- !$disabled{asm} -}] + ENDIF + ENDIF + ++IF[{- !$disabled{asm} -}] ++ IF[{- ($target{perlasm_scheme} // '') ne '31' -}] ++ $AESXTSDEF_s390x=AES_XTS_S390X ++ ENDIF ++ ++ # Now that we have defined all the arch specific variables, use the ++ # appropriate one, and define the appropriate macros ++ ++ IF[$AESXTSDEF_{- $target{asm_arch} -}] ++ $AESXTSDEF=$AESXTSDEF_{- $target{asm_arch} -} ++ ENDIF ++ENDIF ++ + # This source is common building blocks for all ciphers in all our providers. + SOURCE[$COMMON_GOAL]=\ + ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \ +@@ -93,6 +106,7 @@ SOURCE[$AES_GOAL]=\ + cipher_aes_cbc_hmac_sha.c \ + cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \ + cipher_cts.c ++DEFINE[$AES_GOAL]=$AESXTSDEF + + # Extra code to satisfy the FIPS and non-FIPS separation. + # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed. +diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c +index cce2537ea7..2287834d62 100644 +--- a/providers/implementations/ciphers/cipher_aes_xts.c ++++ b/providers/implementations/ciphers/cipher_aes_xts.c +@@ -62,6 +62,10 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes, + return 1; + } + ++#ifdef AES_XTS_S390X ++# include "cipher_aes_xts_s390x.inc" ++#endif ++ + /*- + * Provider dispatch functions + */ +@@ -98,6 +102,10 @@ static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen, + const OSSL_PARAM params[]) + { ++#ifdef AES_XTS_S390X ++ if (s390x_aes_xts_einit(vctx, key, keylen, iv, ivlen, params) == 1) ++ return 1; ++#endif + return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1); + } + +@@ -105,6 +113,10 @@ static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen, + const OSSL_PARAM params[]) + { ++#ifdef AES_XTS_S390X ++ if (s390x_aes_xts_dinit(vctx, key, keylen, iv, ivlen, params) == 1) ++ return 1; ++#endif + return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0); + } + +@@ -137,6 +149,11 @@ static void *aes_xts_dupctx(void *vctx) + if (!ossl_prov_is_running()) + return NULL; + ++#ifdef AES_XTS_S390X ++ if (in->plat.s390x.fc) ++ return s390x_aes_xts_dupctx(vctx); ++#endif ++ + if (in->xts.key1 != NULL) { + if (in->xts.key1 != &in->ks1) + return NULL; +@@ -157,6 +174,11 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl, + { + PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx; + ++#ifdef AES_XTS_S390X ++ if (ctx->plat.s390x.fc) ++ return s390x_aes_xts_cipher(vctx, out, outl, outsize, in, inl); ++#endif ++ + if (!ossl_prov_is_running() + || ctx->xts.key1 == NULL + || ctx->xts.key2 == NULL +diff --git a/providers/implementations/ciphers/cipher_aes_xts.h b/providers/implementations/ciphers/cipher_aes_xts.h +index afc42ef444..56891ca98c 100644 +--- a/providers/implementations/ciphers/cipher_aes_xts.h ++++ b/providers/implementations/ciphers/cipher_aes_xts.h +@@ -22,6 +22,14 @@ PROV_CIPHER_FUNC(void, xts_stream, + const AES_KEY *key1, const AES_KEY *key2, + const unsigned char iv[16])); + ++#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++typedef struct S390X_km_xts_params_st { ++ unsigned char key[64]; ++ unsigned char tweak[16]; ++ unsigned char nap[16]; ++} S390X_KM_XTS_PARAMS; ++#endif ++ + typedef struct prov_aes_xts_ctx_st { + PROV_CIPHER_CTX base; /* Must be first */ + union { +@@ -30,6 +38,23 @@ typedef struct prov_aes_xts_ctx_st { + } ks1, ks2; /* AES key schedules to use */ + XTS128_CONTEXT xts; + OSSL_xts_stream_fn stream; ++ ++ /* Platform specific data */ ++ union { ++ int dummy; ++#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ struct { ++ union { ++ OSSL_UNION_ALIGN; ++ S390X_KM_XTS_PARAMS km; ++ } param; ++ size_t offset; ++ unsigned int fc; ++ unsigned int iv_set : 1; ++ unsigned int key_set : 1; ++ } s390x; ++#endif ++ } plat; + } PROV_AES_XTS_CTX; + + const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_xts(size_t keybits); +diff --git a/providers/implementations/ciphers/cipher_aes_xts_s390x.inc b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc +new file mode 100644 +index 0000000000..77341b3bbd +--- /dev/null ++++ b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc +@@ -0,0 +1,167 @@ ++/* ++ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "crypto/s390x_arch.h" ++ ++static OSSL_FUNC_cipher_encrypt_init_fn s390x_aes_xts_einit; ++static OSSL_FUNC_cipher_decrypt_init_fn s390x_aes_xts_dinit; ++static OSSL_FUNC_cipher_cipher_fn s390x_aes_xts_cipher; ++static OSSL_FUNC_cipher_dupctx_fn s390x_aes_xts_dupctx; ++ ++static int s390x_aes_xts_init(void *vctx, const unsigned char *key, ++ size_t keylen, const unsigned char *iv, ++ size_t ivlen, const OSSL_PARAM params[], ++ unsigned int dec) ++{ ++ PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx; ++ S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km; ++ unsigned int fc, offs; ++ ++ switch (xctx->base.keylen) { ++ case 128 / 8 * 2: ++ fc = S390X_XTS_AES_128_MSA10; ++ offs = 32; ++ break; ++ case 256 / 8 * 2: ++ fc = S390X_XTS_AES_256_MSA10; ++ offs = 0; ++ break; ++ default: ++ goto not_supported; ++ } ++ ++ if (!(OPENSSL_s390xcap_P.km[1] && S390X_CAPBIT(fc))) ++ goto not_supported; ++ ++ if (iv != NULL) { ++ if (ivlen != xctx->base.ivlen ++ || ivlen > sizeof(km->tweak)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); ++ return 0; ++ } ++ memcpy(km->tweak, iv, ivlen); ++ xctx->plat.s390x.iv_set = 1; ++ } ++ ++ if (key != NULL) { ++ if (keylen != xctx->base.keylen) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ if (!aes_xts_check_keys_differ(key, keylen / 2, !dec)) ++ return 0; ++ ++ memcpy(km->key + offs, key, keylen); ++ xctx->plat.s390x.key_set = 1; ++ } ++ ++ xctx->plat.s390x.fc = fc | dec; ++ xctx->plat.s390x.offset = offs; ++ ++ memset(km->nap, 0, sizeof(km->nap)); ++ km->nap[0] = 0x1; ++ ++ return aes_xts_set_ctx_params(xctx, params); ++ ++not_supported: ++ xctx->plat.s390x.fc = 0; ++ xctx->plat.s390x.offset = 0; ++ return 0; ++} ++ ++static int s390x_aes_xts_einit(void *vctx, const unsigned char *key, ++ size_t keylen, const unsigned char *iv, ++ size_t ivlen, const OSSL_PARAM params[]) ++{ ++ return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0); ++} ++ ++static int s390x_aes_xts_dinit(void *vctx, const unsigned char *key, ++ size_t keylen, const unsigned char *iv, ++ size_t ivlen, const OSSL_PARAM params[]) ++{ ++ return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, ++ S390X_DECRYPT); ++} ++ ++static void *s390x_aes_xts_dupctx(void *vctx) ++{ ++ PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx; ++ PROV_AES_XTS_CTX *ret = OPENSSL_zalloc(sizeof(*in)); ++ ++ if (ret != NULL) ++ *ret = *in; ++ ++ return ret; ++} ++ ++static int s390x_aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl, ++ size_t outsize, const unsigned char *in, ++ size_t inl) ++{ ++ PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx; ++ S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km; ++ unsigned char *param = (unsigned char *)km + xctx->plat.s390x.offset; ++ unsigned int fc = xctx->plat.s390x.fc; ++ unsigned char tmp[2][AES_BLOCK_SIZE]; ++ unsigned char nap_n1[AES_BLOCK_SIZE]; ++ unsigned char drop[AES_BLOCK_SIZE]; ++ size_t len_incomplete, len_complete; ++ ++ if (!ossl_prov_is_running() ++ || inl < AES_BLOCK_SIZE ++ || in == NULL ++ || out == NULL ++ || !xctx->plat.s390x.iv_set ++ || !xctx->plat.s390x.key_set) ++ return 0; ++ ++ /* ++ * Impose a limit of 2^20 blocks per data unit as specified by ++ * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007 ++ * indicated that this was a SHOULD NOT rather than a MUST NOT. ++ * NIST SP 800-38E mandates the same limit. ++ */ ++ if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE); ++ return 0; ++ } ++ ++ len_incomplete = inl % AES_BLOCK_SIZE; ++ len_complete = (len_incomplete == 0) ? inl : ++ (inl / AES_BLOCK_SIZE - 1) * AES_BLOCK_SIZE; ++ ++ if (len_complete > 0) ++ s390x_km(in, len_complete, out, fc, param); ++ if (len_incomplete == 0) ++ goto out; ++ ++ memcpy(tmp, in + len_complete, AES_BLOCK_SIZE + len_incomplete); ++ /* swap NAP for decrypt */ ++ if (fc & S390X_DECRYPT) { ++ memcpy(nap_n1, km->nap, AES_BLOCK_SIZE); ++ s390x_km(tmp[0], AES_BLOCK_SIZE, drop, fc, param); ++ } ++ s390x_km(tmp[0], AES_BLOCK_SIZE, tmp[0], fc, param); ++ if (fc & S390X_DECRYPT) ++ memcpy(km->nap, nap_n1, AES_BLOCK_SIZE); ++ ++ memcpy(tmp[1] + len_incomplete, tmp[0] + len_incomplete, ++ AES_BLOCK_SIZE - len_incomplete); ++ s390x_km(tmp[1], AES_BLOCK_SIZE, out + len_complete, fc, param); ++ memcpy(out + len_complete + AES_BLOCK_SIZE, tmp[0], len_incomplete); ++ ++ /* do not expose temporary data */ ++ OPENSSL_cleanse(tmp, sizeof(tmp)); ++out: ++ memcpy(xctx->base.iv, km->tweak, AES_BLOCK_SIZE); ++ *outl = inl; ++ ++ return 1; ++} diff --git a/openssl-3-jitterentropy-3.4.0.patch b/openssl-3-jitterentropy-3.4.0.patch index dfd8b7f..d59016e 100644 --- a/openssl-3-jitterentropy-3.4.0.patch +++ b/openssl-3-jitterentropy-3.4.0.patch @@ -1,27 +1,19 @@ -Index: openssl-3.1.4/Configurations/00-base-templates.conf +Index: openssl-3.2.3/Configurations/00-base-templates.conf =================================================================== ---- openssl-3.1.4.orig/Configurations/00-base-templates.conf -+++ openssl-3.1.4/Configurations/00-base-templates.conf -@@ -71,9 +71,12 @@ my %targets=( - lflags => - sub { $withargs{zlib_lib} ? "-L".$withargs{zlib_lib} : () }, - ex_libs => -- sub { !defined($disabled{zlib}) -- && defined($disabled{"zlib-dynamic"}) -- ? "-lz" : () }, -+ sub { -+ my @libs = (); -+ push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"}); -+ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy}); -+ return join(" ", @libs); -+ }, - HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares - RANLIB => sub { which("$config{cross_compile_prefix}ranlib") - ? "ranlib" : "" }, -Index: openssl-3.1.4/crypto/rand/rand_jitter_entropy.c +--- openssl-3.2.3.orig/Configurations/00-base-templates.conf ++++ openssl-3.2.3/Configurations/00-base-templates.conf +@@ -88,6 +88,7 @@ my %targets=( + sub { + my @libs = (); + push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"}); ++ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy}); + if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) { + push(@libs, "-lbrotlienc"); + push(@libs, "-lbrotlidec"); +Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c =================================================================== --- /dev/null -+++ openssl-3.1.4/crypto/rand/rand_jitter_entropy.c ++++ openssl-3.2.3/crypto/rand/rand_jitter_entropy.c @@ -0,0 +1,97 @@ +# include "jitterentropy.h" +# include "prov/jitter_entropy.h" @@ -120,10 +112,10 @@ Index: openssl-3.1.4/crypto/rand/rand_jitter_entropy.c + CRYPTO_THREAD_lock_free(jent_lock); + jent_lock = NULL; +} -Index: openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c +Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/seeding/rand_unix.c -+++ openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c +--- openssl-3.2.3.orig/providers/implementations/rands/seeding/rand_unix.c ++++ openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c @@ -20,6 +20,7 @@ #include "internal/dso.h" #include "internal/nelem.h" @@ -132,7 +124,7 @@ Index: openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c #ifdef __linux # include -@@ -631,6 +632,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO +@@ -633,6 +634,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO (void)entropy_available; /* avoid compiler warning */ @@ -164,10 +156,10 @@ Index: openssl-3.1.4/providers/implementations/rands/seeding/rand_unix.c # if defined(OPENSSL_RAND_SEED_GETRANDOM) { size_t bytes_needed; -Index: openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h +Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h =================================================================== --- /dev/null -+++ openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h ++++ openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h @@ -0,0 +1,17 @@ +#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H +# define OSSL_PROVIDERS_JITTER_ENTROPY_H @@ -186,10 +178,10 @@ Index: openssl-3.1.4/providers/implementations/include/prov/jitter_entropy.h +void FIPS_entropy_cleanup(void); + +#endif -Index: openssl-3.1.4/providers/fips/self_test.c +Index: openssl-3.2.3/providers/fips/self_test.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/self_test.c -+++ openssl-3.1.4/providers/fips/self_test.c +--- openssl-3.2.3.orig/providers/fips/self_test.c ++++ openssl-3.2.3/providers/fips/self_test.c @@ -20,6 +20,7 @@ #include "internal/tsan_assist.h" #include "prov/providercommon.h" @@ -198,7 +190,7 @@ Index: openssl-3.1.4/providers/fips/self_test.c /* * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS -@@ -392,6 +393,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +@@ -498,6 +499,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS return 0; } @@ -210,10 +202,10 @@ Index: openssl-3.1.4/providers/fips/self_test.c if (st == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); goto end; -Index: openssl-3.1.4/include/openssl/proverr.h +Index: openssl-3.2.3/include/openssl/proverr.h =================================================================== ---- openssl-3.1.4.orig/include/openssl/proverr.h -+++ openssl-3.1.4/include/openssl/proverr.h +--- openssl-3.2.3.orig/include/openssl/proverr.h ++++ openssl-3.2.3/include/openssl/proverr.h @@ -44,6 +44,7 @@ # define PROV_R_FAILED_TO_GET_PARAMETER 103 # define PROV_R_FAILED_TO_SET_PARAMETER 104 @@ -222,10 +214,10 @@ Index: openssl-3.1.4/include/openssl/proverr.h # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227 # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224 # define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225 -Index: openssl-3.1.4/providers/common/provider_err.c +Index: openssl-3.2.3/providers/common/provider_err.c =================================================================== ---- openssl-3.1.4.orig/providers/common/provider_err.c -+++ openssl-3.1.4/providers/common/provider_err.c +--- openssl-3.2.3.orig/providers/common/provider_err.c ++++ openssl-3.2.3/providers/common/provider_err.c @@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER), "failed to set parameter"}, @@ -235,22 +227,22 @@ Index: openssl-3.1.4/providers/common/provider_err.c {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR), "fips module conditional error"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE), -Index: openssl-3.1.4/crypto/rand/build.info +Index: openssl-3.2.3/crypto/rand/build.info =================================================================== ---- openssl-3.1.4.orig/crypto/rand/build.info -+++ openssl-3.1.4/crypto/rand/build.info +--- openssl-3.2.3.orig/crypto/rand/build.info ++++ openssl-3.2.3/crypto/rand/build.info @@ -1,6 +1,6 @@ LIBS=../../libcrypto -$COMMON=rand_lib.c +$COMMON=rand_lib.c rand_jitter_entropy.c - $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c + $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c \ + rand_uniform.c - IF[{- !$disabled{'egd'} -}] -Index: openssl-3.1.4/providers/fips/fipsprov.c +Index: openssl-3.2.3/providers/fips/fipsprov.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c +--- openssl-3.2.3.orig/providers/fips/fipsprov.c ++++ openssl-3.2.3/providers/fips/fipsprov.c @@ -27,6 +27,7 @@ #include "crypto/context.h" #include "internal/core.h" @@ -259,7 +251,7 @@ Index: openssl-3.1.4/providers/fips/fipsprov.c static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; -@@ -603,6 +604,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM +@@ -609,6 +610,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM static void fips_teardown(void *provctx) { @@ -267,29 +259,29 @@ Index: openssl-3.1.4/providers/fips/fipsprov.c OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); ossl_prov_ctx_free(provctx); } -Index: openssl-3.1.4/util/libcrypto.num +Index: openssl-3.2.3/util/libcrypto.num =================================================================== ---- openssl-3.1.4.orig/util/libcrypto.num -+++ openssl-3.1.4/util/libcrypto.num -@@ -5441,3 +5441,5 @@ X509_get_default_cert_path_env - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5539,3 +5539,5 @@ BIO_ADDR_copy + ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +FIPS_entropy_init ? 3_1_4 EXIST::FUNCTION: +FIPS_entropy_cleanup ? 3_1_4 EXIST::FUNCTION: -Index: openssl-3.1.4/Configure +Index: openssl-3.2.3/Configure =================================================================== ---- openssl-3.1.4.orig/Configure -+++ openssl-3.1.4/Configure -@@ -454,6 +454,7 @@ my @disablables = ( - "fuzz-libfuzzer", +--- openssl-3.2.3.orig/Configure ++++ openssl-3.2.3/Configure +@@ -469,6 +469,7 @@ my @disablables = ( "gost", + "http", "idea", + "jitterentropy", "ktls", "legacy", "loadereng", -@@ -550,6 +551,7 @@ our %disabled = ( # "what" => "c +@@ -573,6 +574,7 @@ our %disabled = ( # "what" => "c "external-tests" => "default", "fuzz-afl" => "default", "fuzz-libfuzzer" => "default", @@ -297,7 +289,7 @@ Index: openssl-3.1.4/Configure "ktls" => "default", "md2" => "default", "msan" => "default", -@@ -763,7 +765,7 @@ my %cmdvars = (); # Stores +@@ -801,7 +803,7 @@ my %cmdvars = (); # Stores my %unsupported_options = (); my %deprecated_options = (); # If you change this, update apps/version.c @@ -306,7 +298,7 @@ Index: openssl-3.1.4/Configure my @seed_sources = (); while (@argvcopy) { -@@ -1231,6 +1233,9 @@ if (scalar(@seed_sources) == 0) { +@@ -1291,6 +1293,9 @@ if (scalar(@seed_sources) == 0) { if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) { delete $disabled{'egd'}; } @@ -316,10 +308,10 @@ Index: openssl-3.1.4/Configure if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; warn <<_____ if scalar(@seed_sources) == 1; -Index: openssl-3.1.4/crypto/info.c +Index: openssl-3.2.3/crypto/info.c =================================================================== ---- openssl-3.1.4.orig/crypto/info.c -+++ openssl-3.1.4/crypto/info.c +--- openssl-3.2.3.orig/crypto/info.c ++++ openssl-3.2.3/crypto/info.c @@ -15,6 +15,9 @@ #include "internal/e_os.h" #include "buildinf.h" @@ -353,11 +345,11 @@ Index: openssl-3.1.4/crypto/info.c seed_sources = seeds; } return 1; -Index: openssl-3.1.4/INSTALL.md +Index: openssl-3.2.3/INSTALL.md =================================================================== ---- openssl-3.1.4.orig/INSTALL.md -+++ openssl-3.1.4/INSTALL.md -@@ -463,6 +463,12 @@ if provided by the CPU. +--- openssl-3.2.3.orig/INSTALL.md ++++ openssl-3.2.3/INSTALL.md +@@ -511,6 +511,12 @@ if provided by the CPU. Use librandom (not implemented yet). This source is ignored by the FIPS provider. diff --git a/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch b/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch new file mode 100644 index 0000000..e0d7132 --- /dev/null +++ b/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch @@ -0,0 +1,196 @@ +From 25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Thu, 29 Feb 2024 12:50:05 +0100 +Subject: [PATCH] s390x: support CPACF sha3/shake performance improvements + +On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD +can be enhanced by using additional modifier bits. This allows the application +to omit initializing the ICV, but also affects the internal processing of the +instructions. Performance is mostly gained when processing short messages. + +The new CPACF feature is backwards compatible with older machines, i.e. the new +modifier bits are ignored on older machines. However, to save the ICV +initialization, the application must detect the MSA level and omit the ICV +initialization only if this feature is supported. + +Signed-off-by: Joerg Schmidbauer + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25235) +--- + crypto/s390x_arch.h | 3 ++ + crypto/s390xcpuid.pl | 4 +-- + crypto/sha/sha3.c | 8 +++++- + providers/implementations/digests/sha3_prov.c | 28 +++++++++++++++---- + 4 files changed, 34 insertions(+), 9 deletions(-) + +Index: openssl-3.2.3/crypto/s390x_arch.h +=================================================================== +--- openssl-3.2.3.orig/crypto/s390x_arch.h ++++ openssl-3.2.3/crypto/s390x_arch.h +@@ -191,6 +191,9 @@ extern int OPENSSL_s390xcex; + # define S390X_KMA_LAAD 0x200 + # define S390X_KMA_HS 0x400 + # define S390X_KDSA_D 0x80 ++# define S390X_KIMD_NIP 0x8000 ++# define S390X_KLMD_DUFOP 0x4000 ++# define S390X_KLMD_NIP 0x8000 + # define S390X_KLMD_PS 0x100 + # define S390X_KMAC_IKP 0x8000 + # define S390X_KMAC_IIMP 0x4000 +Index: openssl-3.2.3/crypto/s390xcpuid.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/s390xcpuid.pl ++++ openssl-3.2.3/crypto/s390xcpuid.pl +@@ -308,7 +308,7 @@ s390x_kimd: + llgfr %r0,$fc + lgr %r1,$param + +- .long 0xb93e0002 # kimd %r0,%r2 ++ .long 0xb93e8002 # kimd %r0,%r2[,M3] + brc 1,.-4 # pay attention to "partial completion" + + br $ra +@@ -329,7 +329,7 @@ s390x_klmd: + llgfr %r0,$fc + l${g} %r1,$stdframe($sp) + +- .long 0xb93f0042 # klmd %r4,%r2 ++ .long 0xb93f8042 # klmd %r4,%r2[,M3] + brc 1,.-4 # pay attention to "partial completion" + + br $ra +Index: openssl-3.2.3/crypto/sha/sha3.c +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/sha3.c ++++ openssl-3.2.3/crypto/sha/sha3.c +@@ -8,13 +8,19 @@ + */ + + #include ++#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ) ++# include "crypto/s390x_arch.h" ++#endif + #include "internal/sha3.h" + + void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next); + + void ossl_sha3_reset(KECCAK1600_CTX *ctx) + { +- memset(ctx->A, 0, sizeof(ctx->A)); ++#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ) ++ if (!(OPENSSL_s390xcap_P.stfle[1] & S390X_CAPBIT(S390X_MSA12))) ++#endif ++ memset(ctx->A, 0, sizeof(ctx->A)); + ctx->bufsz = 0; + ctx->xof_state = XOF_STATE_INIT; + } +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -187,26 +187,32 @@ static size_t s390x_sha3_absorb(void *vc + { + KECCAK1600_CTX *ctx = vctx; + size_t rem = len % ctx->block_size; ++ unsigned int fc; + + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; + ctx->xof_state = XOF_STATE_ABSORB; +- s390x_kimd(inp, len - rem, ctx->pad, ctx->A); ++ s390x_kimd(inp, len - rem, fc, ctx->A); + return rem; + } + + static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad | S390X_KLMD_DUFOP; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0; + ctx->xof_state = XOF_STATE_FINAL; +- s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, fc, ctx->A); + memcpy(out, ctx->A, outlen); + return 1; + } +@@ -214,14 +220,17 @@ static int s390x_sha3_final(void *vctx, + static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad | S390X_KLMD_DUFOP; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0; + ctx->xof_state = XOF_STATE_FINAL; +- s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A); + return 1; + } + +@@ -271,24 +280,28 @@ static int s390x_keccakc_final(void *vct + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; + size_t needed = outlen; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; + ctx->xof_state = XOF_STATE_FINAL; + if (outlen == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); + ctx->buf[num] = padding; + ctx->buf[bsz - 1] |= 0x80; +- s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A); ++ s390x_kimd(ctx->buf, bsz, fc, ctx->A); + num = needed > bsz ? bsz : needed; + memcpy(out, ctx->A, num); + needed -= num; + if (needed > 0) +- s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A); ++ s390x_klmd(NULL, 0, out + bsz, needed, ++ ctx->pad | S390X_KLMD_PS | S390X_KLMD_DUFOP, ctx->A); + + return 1; + } +@@ -308,6 +321,7 @@ static int s390x_keccakc_squeeze(void *v + { + KECCAK1600_CTX *ctx = vctx; + size_t len; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; +@@ -323,7 +337,9 @@ static int s390x_keccakc_squeeze(void *v + memset(ctx->buf + ctx->bufsz, 0, len); + ctx->buf[ctx->bufsz] = padding; + ctx->buf[ctx->block_size - 1] |= 0x80; +- s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A); ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; ++ s390x_kimd(ctx->buf, ctx->block_size, fc, ctx->A); + ctx->bufsz = 0; + /* reuse ctx->bufsz to count bytes squeezed from current sponge */ + } diff --git a/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch b/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch new file mode 100644 index 0000000..2d8f8dd --- /dev/null +++ b/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch @@ -0,0 +1,160 @@ +commit 94898923538f686b74b6ddef34571f804d9b3811 +Author: Holger Dengler +Date: Wed Sep 27 15:40:47 2023 +0200 + + Support EVP_DigestSqueeze() for in the digest provider for s390x. + + The new EVP_DigestSqueeze() API requires changes to all keccak-based + digest provider implementations. Update the s390x-part of the SHA3 + digest provider. + + Squeeze for SHA3 is not supported, so add an empty function pointer + (NULL). + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c +index f691273baf..2fd0f928e7 100644 +--- a/providers/implementations/digests/sha3_prov.c ++++ b/providers/implementations/digests/sha3_prov.c +@@ -225,6 +225,45 @@ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen) + return 1; + } + ++static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ KECCAK1600_CTX *ctx = vctx; ++ size_t len; ++ ++ if (!ossl_prov_is_running()) ++ return 0; ++ if (ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ /* ++ * On the first squeeze call, finish the absorb process (incl. padding). ++ */ ++ if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); ++ ctx->bufsz = outlen % ctx->block_size; ++ /* reuse ctx->bufsz to count bytes squeezed from current sponge */ ++ return 1; ++ } ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ if (ctx->bufsz != 0) { ++ len = ctx->block_size - ctx->bufsz; ++ if (outlen < len) ++ len = outlen; ++ memcpy(out, (char *)ctx->A + ctx->bufsz, len); ++ out += len; ++ outlen -= len; ++ ctx->bufsz += len; ++ if (ctx->bufsz == ctx->block_size) ++ ctx->bufsz = 0; ++ } ++ if (outlen == 0) ++ return 1; ++ s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A); ++ ctx->bufsz = outlen % ctx->block_size; ++ ++ return 1; ++} ++ + static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen, + int padding) + { +@@ -264,28 +303,86 @@ static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen) + return s390x_keccakc_final(vctx, out, outlen, 0x04); + } + ++static int s390x_keccakc_squeeze(void *vctx, unsigned char *out, size_t outlen, ++ int padding) ++{ ++ KECCAK1600_CTX *ctx = vctx; ++ size_t len; ++ ++ if (!ossl_prov_is_running()) ++ return 0; ++ if (ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ /* ++ * On the first squeeze call, finish the absorb process ++ * by adding the trailing padding and then doing ++ * a final absorb. ++ */ ++ if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ len = ctx->block_size - ctx->bufsz; ++ memset(ctx->buf + ctx->bufsz, 0, len); ++ ctx->buf[ctx->bufsz] = padding; ++ ctx->buf[ctx->block_size - 1] |= 0x80; ++ s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A); ++ ctx->bufsz = 0; ++ /* reuse ctx->bufsz to count bytes squeezed from current sponge */ ++ } ++ if (ctx->bufsz != 0 || ctx->xof_state != XOF_STATE_SQUEEZE) { ++ len = ctx->block_size - ctx->bufsz; ++ if (outlen < len) ++ len = outlen; ++ memcpy(out, (char *)ctx->A + ctx->bufsz, len); ++ out += len; ++ outlen -= len; ++ ctx->bufsz += len; ++ if (ctx->bufsz == ctx->block_size) ++ ctx->bufsz = 0; ++ } ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ if (outlen == 0) ++ return 1; ++ s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A); ++ ctx->bufsz = outlen % ctx->block_size; ++ ++ return 1; ++} ++ ++static int s390x_keccak_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ return s390x_keccakc_squeeze(vctx, out, outlen, 0x01); ++} ++ ++static int s390x_kmac_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ return s390x_keccakc_squeeze(vctx, out, outlen, 0x04); ++} ++ + static PROV_SHA3_METHOD sha3_s390x_md = + { + s390x_sha3_absorb, +- s390x_sha3_final ++ s390x_sha3_final, ++ NULL, + }; + + static PROV_SHA3_METHOD keccak_s390x_md = + { + s390x_sha3_absorb, + s390x_keccak_final, ++ s390x_keccak_squeeze, + }; + + static PROV_SHA3_METHOD shake_s390x_md = + { + s390x_sha3_absorb, +- s390x_shake_final ++ s390x_shake_final, ++ s390x_shake_squeeze, + }; + + static PROV_SHA3_METHOD kmac_s390x_md = + { + s390x_sha3_absorb, +- s390x_kmac_final ++ s390x_kmac_final, ++ s390x_kmac_squeeze, + }; + + # define SHAKE_SET_MD(uname, typ) \ diff --git a/openssl-3-support-multiple-sha3_squeeze_s390x.patch b/openssl-3-support-multiple-sha3_squeeze_s390x.patch new file mode 100644 index 0000000..2f037a9 --- /dev/null +++ b/openssl-3-support-multiple-sha3_squeeze_s390x.patch @@ -0,0 +1,46 @@ +commit bff62480333680463c82e88fdc67ed5ec14a0017 +Author: Holger Dengler +Date: Wed Sep 27 11:18:18 2023 +0200 + + Support multiple calls of low level SHA3_squeeze() for s390x. + + The low level SHA3_Squeeze() function needed to change slightly so + that it can handle multiple squeezes. Support this on s390x + architecture as well. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl +index 86233c7e38..7d5ebde117 100755 +--- a/crypto/sha/asm/keccak1600-s390x.pl ++++ b/crypto/sha/asm/keccak1600-s390x.pl +@@ -472,7 +472,7 @@ SHA3_absorb: + .size SHA3_absorb,.-SHA3_absorb + ___ + } +-{ my ($A_flat,$out,$len,$bsz) = map("%r$_",(2..5)); ++{ my ($A_flat,$out,$len,$bsz,$next) = map("%r$_",(2..6)); + + $code.=<<___; + .globl SHA3_squeeze +@@ -484,6 +484,7 @@ SHA3_squeeze: + lghi %r14,8 + st${g} $bsz,5*$SIZE_T($sp) + la %r1,0($A_flat) ++ cijne $next,0,.Lnext_block + + j .Loop_squeeze + +@@ -501,6 +502,7 @@ SHA3_squeeze: + + brct $bsz,.Loop_squeeze # bsz-- + ++.Lnext_block: + stm${g} $out,$len,3*$SIZE_T($sp) + bras %r14,.LKeccakF1600 + lm${g} $out,$bsz,3*$SIZE_T($sp) diff --git a/openssl-3-use-include-directive.patch b/openssl-3-use-include-directive.patch deleted file mode 100644 index d3ed451..0000000 --- a/openssl-3-use-include-directive.patch +++ /dev/null @@ -1,35 +0,0 @@ ---- - apps/openssl.cnf | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -Index: openssl-3.1.4/apps/openssl.cnf -=================================================================== ---- openssl-3.1.4.orig/apps/openssl.cnf -+++ openssl-3.1.4/apps/openssl.cnf -@@ -19,6 +19,7 @@ openssl_conf = openssl_init - # Comment out the next line to ignore configuration errors - config_diagnostics = 1 - -+[ oid_section ] - # Extra OBJECT IDENTIFIER info: - # oid_file = $ENV::HOME/.oid - oid_section = new_oids -@@ -47,6 +48,18 @@ providers = provider_sect - # Load default TLS policy configuration - ssl_conf = ssl_module - -+engines = engine_section -+ -+[ engine_section ] -+ -+# This include will look through the directory that will contain the -+# engine declarations for any engines provided by other packages. -+.include /etc/ssl/engines3.d -+ -+# This include will look through the directory that will contain the -+# definitions of the engines declared in the engine section. -+.include /etc/ssl/engdef3.d -+ - # Uncomment the sections that start with ## below to enable the legacy provider. - # Loading the legacy provider enables support for the following algorithms: - # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 diff --git a/openssl-3.1.4.tar.gz b/openssl-3.1.4.tar.gz deleted file mode 100644 index dde84fd..0000000 --- a/openssl-3.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 -size 15569450 diff --git a/openssl-3.1.4.tar.gz.asc b/openssl-3.1.4.tar.gz.asc deleted file mode 100644 index d7c5025..0000000 --- a/openssl-3.1.4.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9 -efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA -U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si -ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C -hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx -NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP -0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec -h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD -MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN -UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F -FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs -5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o= -=EH33 ------END PGP SIGNATURE----- diff --git a/openssl-3.2.3.tar.gz b/openssl-3.2.3.tar.gz new file mode 100644 index 0000000..961fe1a --- /dev/null +++ b/openssl-3.2.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239 +size 17762604 diff --git a/openssl-3.2.3.tar.gz.asc b/openssl-3.2.3.tar.gz.asc new file mode 100644 index 0000000..4061984 --- /dev/null +++ b/openssl-3.2.3.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXBpkACgkQIWCU39DL +ge81Ww//d6tE9XznGxx/+xfBFADDTALPDaO8yogJtECMMxixXn1zuWYheH40z5zO +MTmIeHVLowXlfBl4YO8I+SDGbZy4CKFix3j+r/dojvteiPXrBKd83e67e0mDotAD +w3NYar1Gh8kXnq63zEV8JRBjRhLb2b7uJhi1UUtaCgOfK/wvRVWiBDWyVAkVjR0V +NGCQg6FXCjxXY9G01wyqBlZt4T/h/SxN+iZUWRRPrekTxVNAQxFsMLYupuULpeaz +uHvXXJ1Os/Mh4zD8a/SHrbdw3ncHb7JmCNZu4cPUkNVw0Dc0y64SP+Wviet1oOio +/pTnfq6ptUTpzkSFiI9ZmTS1eiqQ24BLdwu3J/6ss9hZUlFZPUozsH6HTVpRxWhI +edp5fa8rpQ5wX+ftGNxA1tRhWjCrR1VgFhdZX5T4rS5fU3OX5TXPwHKqaFyGlxQd +GV467+BgxixgEU5xMirkJ/WbYrcSEFS1i9EbL6HwJ2vO02jHNfK7Biy+krOZKnx1 +Oniv4DoPR1s2De+OinDI30Zo9STizpiFiv27vw+l8Wj6+SnCFoyAZMVYcdYXSAws +Im054SFCpw1cqhhHMBMOodqUv2CEMyBLuUyjjOF6oFteUp/VEe8JUrkQBA+LhDgX +kPNzpSTnX9lB/ALvaedOUyIQf8sV3IEGn7zWGOTBp1QLu6hiId8= +=1Xgs +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 74143fd..4267466 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,8 +1,401 @@ +------------------------------------------------------------------- +Mon Dec 23 20:14:08 UTC 2024 - Giuliano Belinassi + +- Add support for userspace livepatching on ppc64le (jsc#PED-11850). +- Use gcc-13 for ppc64le. + +------------------------------------------------------------------- +Tue Dec 17 12:42:19 UTC 2024 - Pedro Monreal + +- Fix evp_properties section in the openssl.cnf file [bsc#1234647] + * Rebase patches: + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-TESTS-Disable-default-provider-crypto-policies.patch + +------------------------------------------------------------------- +Tue Nov 12 15:46:20 UTC 2024 - Pedro Monreal + +- Do not use HASHBANGPERL to avoid introducing a dependency on the + perl-base package. [bsc#1233235] + +------------------------------------------------------------------- +Thu Nov 7 16:43:15 UTC 2024 - Angel Yankov + +- Add missing fixes for SHA3_squeeze and quic_multistream_test on + pcc64 arch. [jsc#PED-10280] + * Added openssl-3-fix-sha3-squeeze-ppc64.patch + * Added openssl-3-fix-quic_multistream_test.patch + +------------------------------------------------------------------- +Tue Nov 5 15:11:46 UTC 2024 - Angel Yankov + +- Support MSA 11 HMAC on s390x [jsc#PED-10274] + * Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch + * Add openssl-3-fix-hmac-digest-detection-s390x.patch + * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch + +------------------------------------------------------------------- +Tue Nov 5 10:39:14 UTC 2024 - Angel Yankov + +- Add hardware acceleration for full AES-XTS [jsc#PED-10273] + * Add openssl-3-hw-acceleration-aes-xts-s390x.patch + +------------------------------------------------------------------- +Fri Nov 1 14:32:50 UTC 2024 - Angel Yankov + +- Support MSA 12 SHA3 on s390x [jsc#PED-10280] + * Add openssl-3-add_EVP_DigestSqueeze_api.patch + * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch + * Add openssl-3-add-xof-state-handling-s3_absorb.patch + * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch + * Add openssl-3-fix-state-handling-sha3_final_s390x.patch + * Add openssl-3-fix-state-handling-shake_final_s390x.patch + * Add openssl-3-fix-state-handling-keccak_final_s390x.patch + * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch + * Add openssl-3-add-defines-CPACF-funcs.patch + * Add openssl-3-add-hw-acceleration-hmac.patch + * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch + * Add openssl-3-fix-s390x_sha3_absorb.patch + * Add openssl-3-fix-s390x_shake_squeeze.patch + +------------------------------------------------------------------- +Mon Oct 28 09:38:20 UTC 2024 - Pedro Monreal + +- Update to 3.2.3: + * Changes between 3.2.2 and 3.2.3: + - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] + - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] + * Changes between 3.2.1 and 3.2.2: + - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] + - Fixed an issue where checking excessively long DSA keys or parameters may + be very slow. [CVE-2024-4603] + - Improved EC/DSA nonce generation routines to avoid bias and timing + side channel leaks. + - Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. [CVE-2024-2511] + - New atexit configuration switch, which controls whether the OPENSSL_cleanup + is registered when libcrypto is unloaded. This can be used on platforms + where using atexit() from shared libraries causes crashes on exit. + - Fixed bug where SSL_export_keying_material() could not be used with QUIC + connections. + * Add openssl-skip-quic-pairwise.patch to adapt the pairwise tests. + * Merge openssl-FIPS-release_num_in_version_string.patch into + openssl-FIPS-services-minimize.patch + * Rebase patches: + - openssl-Add-changes-to-ectest-and-eccurve.patch + - openssl-FIPS-140-3-keychecks.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Remove-EC-curves.patch + - openssl-skipped-tests-EC-curves.patch + - openssl-FIPS-early-KATS.patch + - openssl-Allow-disabling-of-SHA1-signatures.patch + - openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + - openssl-FIPS-limit-rsa-encrypt.patch + - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + - openssl-FIPS-140-3-DRBG.patch + - openssl-FIPS-140-3-zeroization.patch + - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch + - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch + - openssl-FIPS-Add-explicit-indicator-for-key-length.patch + - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch + - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch + - openssl-FIPS-enforce-EMS-support.patch + - openssl-3-jitterentropy-3.4.0.patch + * Remove not needed patches: + - openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch + - openssl-3-FIPS-PCT_rsa_keygen.patch + +------------------------------------------------------------------- +Mon Oct 28 09:22:33 UTC 2024 - Pedro Monreal + +- Remove the engines' directories and symlinks that were added to + allow parallel installations with openssl-1_1. + * Remove openssl-3-use-include-directive.patch + +------------------------------------------------------------------- +Mon Oct 28 08:43:34 UTC 2024 - Pedro Monreal + +- Remove the hardcoded DEFAULT_SUSE cipherlist selection. + * Remove openssl-DEFAULT_SUSE_cipher.patch + +------------------------------------------------------------------- +Fri Oct 25 09:32:01 UTC 2024 - Pedro Monreal + +- Update to 3.2.1: + * Changes between 3.2.0 and 3.2.1: + - A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. [CVE-2024-0727] + - When function EVP_PKEY_public_check() is called on RSA public keys, + a computation is done to confirm that the RSA modulus, n, is composite. + For valid RSA keys, n is a product of two or more large primes and this + computation completes quickly. However, if n is an overly large prime, + then this computation would take a long time. [CVE-2023-6237] + - Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to + have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey + rather than SM2. + - The POLY1305 MAC (message authentication code) implementation in OpenSSL + for PowerPC CPUs saves the contents of vector registers in different + order than they are restored. [CVE-2023-6129] + - Disable building QUIC server utility when OpenSSL is configured with 'no-apps'. + * The openssl-crypto-policies-support.patch has been merged into + openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Rename openssl-Disable-default-provider-for-test-suite.patch and rebase to + openssl-TESTS-Disable-default-provider-crypto-policies.patch + * Patches removed in the update: + - openssl-Add_support_for_Windows_CA_certificate_store.patch + - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch + - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch + - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch + - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch + - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch + - openssl-CVE-2024-41996.patch + - openssl-CVE-2023-50782.patch + - openssl-CVE-2024-9143.patch + * Patches rebased: + - openssl-3-use-include-directive.patch + - openssl-Add-Kernel-FIPS-mode-flag-support.patch + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-DEFAULT_SUSE_cipher.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Force-FIPS.patch + - openssl-load-legacy-provider.patch + - openssl-no-html-docs.patch + - openssl-pkgconfig.patch + - openssl-ppc64-config.patch + - openssl-truststore.patch + +------------------------------------------------------------------- +Fri Oct 25 09:14:20 UTC 2024 - Pedro Monreal + +- Update to 3.2.0: + * Changes between 3.1.x and 3.2.0: + - Fix excessive time spent in DH check/ generation with large Q parameter + value. [CVE-2023-5678] + - The BLAKE2b hash algorithm supports a configurable output length + by setting the "size" parameter. + - Added a function to delete objects from store by URI - OSSL_STORE_delete() + and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). + - Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass + a passphrase callback when opening a store. + - Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) + from 8 bytes to 16 bytes. + - Changed the default value of the 'ess_cert_id_alg' configuration + option which is used to calculate the TSA's public key certificate + identifier. The default algorithm is updated to be sha256 instead of sha1. + - Added optimization for SM2 algorithm on aarch64. A new configure option + 'no-sm2-precomp' has been added to disable the precomputed table. + - Added client side support for QUIC + - Added secp384r1 implementation using Solinas' reduction to improve + speed of the NIST P-384 elliptic curve. To enable the implementation + the build option 'enable-ec_nistp_64_gcc_128' must be used. + - Improved RFC7468 compliance of the asn1parse command. + - Added SHA256/192 algorithm support. + - Added support for securely getting root CA certificate update in CMP. + - Improved contention on global write locks by using more read locks where + appropriate. + - Improved performance of OSSL_PARAM lookups in performance critical + provider functions. + - Added the SSL_get0_group_name() function to provide access to the + name of the group used for the TLS key exchange. + - Provide a new configure option 'no-http' that can be used to disable the + HTTP support. Provide new configure options 'no-apps' and 'no-docs' to + disable building the openssl command line application and the documentation. + - Provide a new configure option 'no-ecx' that can be used to disable the + X25519, X448, and EdDSA support. + - When multiple OSSL_KDF_PARAM_INFO parameters are passed to + the EVP_KDF_CTX_set_params() function they are now concatenated not just + for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms. + - Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get + the provider context as a parameter. + - TLS round-trip time calculation was added by a Brigham Young University + Capstone team partnering with Sandia National Laboratories. A new function + in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this + value. + - Added the "-quic" option to s_client to enable connectivity to QUIC servers. + QUIC requires the use of ALPN, so this must be specified via the "-alpn" + option. Use of the "advanced" s_client command command via the "-adv" option + is recommended. + - Added an "advanced" command mode to s_client. Use this with the "-adv" option. + - Add Raw Public Key (RFC7250) support. + - Added support for modular exponentiation and CRT offloading for the + S390x architecture. + - Added further assembler code for the RISC-V architecture. + - Added EC_GROUP_to_params() which creates an OSSL_PARAM array + from a given EC_GROUP. + - Improved support for non-default library contexts and property queries + when parsing PKCS#12 files. + - Implemented support for all five instances of EdDSA from RFC8032: + Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. + The streaming is not yet supported for the HashEdDSA variants + (Ed25519ph and Ed448ph). + - Added SM4 optimization for ARM processors using ASIMD and AES HW instructions. + - Implemented SM4-XTS support. + - Added platform-agnostic OSSL_sleep() function. + - Implemented deterministic ECDSA signatures (RFC6979) support. + - Implemented AES-GCM-SIV (RFC8452) support. + - Added support for pluggable (provider-based) TLS signature algorithms. + This enables TLS 1.3 authentication operations with algorithms embedded + in providers not included by default in OpenSSL. In combination with + the already available pluggable KEM and X.509 support, this enables + for example suitable providers to deliver post-quantum or quantum-safe + cryptography to OpenSSL users. + - Added support for pluggable (provider-based) CMS signature algorithms. + This enables CMS sign and verify operations with algorithms embedded + in providers not included by default in OpenSSL. + - Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) API. + - Add support for certificate compression (RFC8879), including + library support for Brotli and Zstandard compression. + - Add the ability to add custom attributes to PKCS12 files. Add a new API + PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows + for a user specified callback and optional argument. + Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be + added to the existing STACK_OF attrs. + - Major refactor of the libssl record layer. + - Add a mac salt length option for the pkcs12 command. + - Add more SRTP protection profiles from RFC8723 and RFC8269. + - Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. + - Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where + supported and enabled. + - Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + - Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. + The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the + SSL_get0_iana_groups() function-like macro, retrieves the list of + supported groups sent by the peer. + - Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() + to make it possible to use empty passphrase strings. + - The PKCS12_parse() function now supports MAC-less PKCS12 files. + - Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able + to change functions used for allocating the memory of asynchronous call stack. + - Added support for signed BIGNUMs in the OSSL_PARAM APIs. + - A failure exit code is returned when using the openssl x509 command to check + certificate attributes and the checks fail. + - The default SSL/TLS security level has been changed from 1 to 2. RSA, + DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys + of 160 bits and above and less than 224 bits were previously accepted by + default but are now no longer allowed. By default TLS compression was + already disabled in previous OpenSSL versions. At security level 2 it cannot + be enabled. + - The SSL_CTX_set_cipher_list family functions now accept ciphers using their + IANA standard names. + - The PVK key derivation function has been moved from b2i_PVK_bio_ex() into + the legacy crypto provider as an EVP_KDF. Applications requiring this KDF + will need to load the legacy crypto provider. + - CCM8 cipher suites in TLS have been downgraded to security level zero + because they use a short authentication tag which lowers their strength. + - Subject or issuer names in X.509 objects are now displayed as UTF-8 strings + by default. Also spaces surrounding '=' in DN output are removed. + - Add X.509 certificate codeSigning purpose and related checks on key usage and + extended key usage of the leaf certificate according to the CA/Browser Forum. + - The 'x509', 'ca', and 'req' apps now produce X.509 v3 certificates. + The '-x509v1' option of 'req' prefers generation of X.509 v1 certificates. + 'X509_sign()' and 'X509_sign_ctx()' make sure that the certificate has + X.509 version 3 if the certificate information includes X.509 extensions. + - Fix and extend certificate handling and the apps 'x509', 'verify' etc. + such as adding a trace facility for debugging certificate chain building. + - Various fixes and extensions to the CMP+CRMF implementation and the 'cmp' app + in particular supporting requests for central key generation, generalized + polling, and various types of genm/genp exchanges defined in CMP Updates. + - Fixes and extensions to the HTTP client and to the HTTP server in 'apps/' + like correcting the TLS and proxy support and adding tracing for debugging. + - Extended the CMS API for handling 'CMS_SignedData' and 'CMS_EnvelopedData'. + - 'CMS_add0_cert()' and 'CMS_add1_cert()' no longer throw an error if + a certificate to be added is already present. 'CMS_sign_ex()' and + 'CMS_sign()' now ignore any duplicate certificates in their 'certs' argument + and no longer throw an error for them. + - Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based + BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg() + calls. They can be used as the transport BIOs for QUIC. + - Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow + sending and receiving multiple messages in a single call. An implementation + is provided for BIO_dgram. For further details, see BIO_sendmmsg(3). + - Support for loading root certificates from the Windows certificate store + has been added. + - Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux + kernel versions that support KTLS have a known bug in CCM processing. That + has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, + and all releases since 5.16. KTLS with CCM ciphersuites should be only used + on these releases. + - Added '-ktls' option to 's_server' and 's_client' commands to enable the + KTLS support. + - Zerocopy KTLS sendfile() support on Linux. + - The OBJ_ calls are now thread safe using a global lock. + - New parameter '-digest' for openssl cms command allowing signing + pre-computed digests and new CMS API functions supporting that + functionality. + - OPENSSL_malloc() and other allocation functions now raise errors on + allocation failures. The callers do not need to explicitly raise errors + unless they want to for tracing purposes. + - Added support for Brainpool curves in TLS-1.3. + - Support for Argon2d, Argon2i, Argon2id KDFs has been added along with + a basic thread pool implementation for select platforms. + +------------------------------------------------------------------- +Mon Oct 21 11:01:59 UTC 2024 - Pedro Monreal + +- Update to 3.1.7: + * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] + - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) + - Fixed possible buffer overread in SSL_select_next_proto() + (CVE-2024-5535) + * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] + - Fixed potential use after free after SSL_free_buffers() is + called (CVE-2024-4741) + - Fixed an issue where checking excessively long DSA keys or + parameters may be very slow (CVE-2024-4603) + - Fixed unbounded memory growth with session handling in TLSv1.3 + (CVE-2024-2511) + * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] + - Fixed PKCS12 Decoding crashes (CVE-2024-0727) + - Fixed Excessive time spent checking invalid RSA public keys + [CVE-2023-6237) + - Fixed POLY1305 MAC implementation corrupting vector registers + on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) + - Fix excessive time spent in DH check / generation with large + Q parameter value (CVE-2023-5678) + * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF + * Rebase patches: + - openssl-Force-FIPS.patch + - openssl-FIPS-embed-hmac.patch + - openssl-FIPS-services-minimize.patch + - openssl-FIPS-RSA-disable-shake.patch + - openssl-CVE-2023-50782.patch + * Remove patches fixed in the update: + - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch + - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch + - openssl-CVE-2024-4741.patch openssl-CVE-2024-4603.patch + - openssl-CVE-2024-2511.patch openssl-CVE-2024-0727.patch + - openssl-CVE-2023-6237.patch openssl-CVE-2023-6129.patch + - openssl-CVE-2023-5678.patch + - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch + - openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch + - openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch + - reproducible.patch + +------------------------------------------------------------------- +Thu Oct 17 12:32:21 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1231741, CVE-2024-9143] + * Low-level invalid GF(2^m) parameters lead to OOB memory access + * Add openssl-CVE-2024-9143.patch + +------------------------------------------------------------------- +Thu Oct 17 12:21:14 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1220262, CVE-2023-50782] + * Implicit rejection in PKCS#1 v1.5 + * Add openssl-CVE-2023-50782.patch + ------------------------------------------------------------------- Thu Sep 19 08:05:52 UTC 2024 - Angel Yankov - Security fix: [bsc#1230698, CVE-2024-41996] - * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used + * Validating the order of the public keys in the Diffie-Hellman + Key Agreement Protocol, when an approved safe prime is used. * Added openssl-CVE-2024-41996.patch ------------------------------------------------------------------- @@ -168,11 +561,6 @@ Wed May 29 13:30:21 UTC 2024 - Martin Wilck * Add openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch * Add openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch -------------------------------------------------------------------- -Tue May 28 14:17:50 UTC 2024 - Giuliano Belinassi - -- Enable livepatching support (bsc#1223428) - ------------------------------------------------------------------- Mon May 20 12:24:03 UTC 2024 - Otto Hollmann @@ -180,6 +568,17 @@ Mon May 20 12:24:03 UTC 2024 - Otto Hollmann * Check DSA parameters for excessive sizes before validating * Add openssl-CVE-2024-4603.patch +------------------------------------------------------------------- +Tue May 7 13:35:31 UTC 2024 - Giuliano Belinassi + +- Enable livepatching support (bsc#1223428) + +------------------------------------------------------------------- +Tue May 7 11:51:38 UTC 2024 - Otto Hollmann + +- Add ktls capability [bsc#1216950] + Already added in January, but not mentioned in this changelog. + ------------------------------------------------------------------- Mon May 6 12:11:02 UTC 2024 - Otto Hollmann @@ -293,7 +692,6 @@ Tue Oct 24 14:53:41 UTC 2023 - Otto Hollmann EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length [bsc#1216163, CVE-2023-5363]. - * Remove patch fixed upstream openssl-CVE-2023-5363.patch ------------------------------------------------------------------- Thu Oct 19 15:03:14 UTC 2023 - Otto Hollmann @@ -316,13 +714,6 @@ Thu Oct 19 11:53:29 UTC 2023 - Pedro Monreal - openssl-Add-FIPS_mode-compatibility-macro.patch - openssl-Add-Kernel-FIPS-mode-flag-support.patch -------------------------------------------------------------------- -Mon Oct 16 15:30:47 UTC 2023 - Otto Hollmann - -- Security fix: [bsc#1216163, CVE-2023-5363] - * Incorrect cipher key and IV length processing - * Add openssl-CVE-2023-5363.patch - ------------------------------------------------------------------- Thu Oct 12 09:44:19 UTC 2023 - @@ -390,23 +781,6 @@ Tue Aug 1 15:24:46 UTC 2023 - Pedro Monreal - openssl-CVE-2023-2975.patch - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch - - openssl-3-CVE-2023-3817.patch - -------------------------------------------------------------------- -Tue Aug 1 12:10:22 UTC 2023 - Pedro Monreal - -- Security fix: [bsc#1213853, CVE-2023-3817] - * Excessive time spent checking DH q parameter value: - The function DH_check() performs various checks on DH parameters. - After fixing CVE-2023-3446 it was discovered that a large q - parameter value can also trigger an overly long computation - during some of these checks. A correct q value, if present, - cannot be larger than the modulus p parameter, thus it is - unnecessary to perform these checks if q is larger than p. - If DH_check() is called with such q parameter value, - DH_CHECK_INVALID_Q_VALUE return flag is set and the - computationally intensive checks are skipped. - * Add openssl-3-CVE-2023-3817.patch ------------------------------------------------------------------- Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal @@ -484,24 +858,12 @@ Tue May 30 15:14:51 UTC 2023 - Otto Hollmann - openssl-Fix-OBJ_nid2obj-regression.patch - openssl-CVE-2023-0465.patch - openssl-CVE-2023-0466.patch - - openssl-CVE-2023-1255.patch - - openssl-CVE-2023-2650.patch ------------------------------------------------------------------- Mon May 29 07:31:07 UTC 2023 - Pedro Monreal - FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116] -------------------------------------------------------------------- -Mon May 22 08:11:43 UTC 2023 - Otto Hollmann - -- Security Fix: [CVE-2023-1255, bsc#1210714] - * Input buffer over-read in AES-XTS implementation on 64 bit ARM - * Add openssl-CVE-2023-1255.patch -- Security Fix: [CVE-2023-2650, bsc#1211430] - * Possible DoS translating ASN.1 object identifiers - * Add openssl-CVE-2023-2650.patch - ------------------------------------------------------------------- Mon May 15 09:00:04 UTC 2023 - Otto Hollmann @@ -510,7 +872,7 @@ Mon May 15 09:00:04 UTC 2023 - Otto Hollmann * Add openssl-Add_support_for_Windows_CA_certificate_store.patch ------------------------------------------------------------------- -Mon Apr 3 07:48:40 UTC 2023 - Otto Hollmann +Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann - Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored @@ -533,7 +895,7 @@ Mon Mar 27 14:44:32 UTC 2023 - Otto Hollmann * Add openssl-z16-s390x.patch ------------------------------------------------------------------- -Fri Mar 24 14:42:18 UTC 2023 - Otto Hollmann +Fri Mar 24 13:55:25 UTC 2023 - Otto Hollmann - Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints @@ -594,9 +956,9 @@ Wed Mar 8 10:37:09 UTC 2023 - Martin Pluskal - Build AVX2 enabled hwcaps library for x86_64-v3 ------------------------------------------------------------------- -Tue Feb 7 17:34:33 UTC 2023 - Otto Hollmann +Tue Feb 7 15:43:22 UTC 2023 - Otto Hollmann -- Update to version 3.0.8 in SLE15-SP5 [jsc#PED-544] +- Update to 3.0.8: * Fixed NULL dereference during PKCS7 data verification. A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash @@ -751,37 +1113,6 @@ Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal ca-certificates package is not installed. This directory is required by the nodejs regression tests. [bsc#1207484] -------------------------------------------------------------------- -Thu Jan 5 12:09:05 UTC 2023 - Otto Hollmann - -- Update openssl.keyring: - pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14] - A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C - uid Tomáš Mráz - uid Tomáš Mráz - uid Tomáš Mráz - -------------------------------------------------------------------- -Wed Jan 4 15:26:42 UTC 2023 - Otto Hollmann - -- Update to version 3.0.7 in SLE15-SP5 [jsc#PED-544] -- Remove patches (already present in 3.0.7): - * openssl-3-CVE-2022-1343.patch - * openssl-CVE-2022-0778.patch - * openssl-CVE-2022-0778-tests.patch - * openssl-CVE-2022-1292.patch - * openssl-3-Fix-EC-ASM-flag-passing.patch - * openssl-update_expired_certificates.patch - * openssl-3-CVE-2022-3358.patch - * openssl-3-Fix-SHA-SHAKE-and-KECCAK-ASM-flag-passing.patch - * openssl-3-CVE-2022-3602_2.patch - * openssl-3-CVE-2022-3602_1.patch - * openssl-CVE-2022-2097.patch - * openssl-3-CVE-2022-1434.patch - * openssl-3-CVE-2022-1473.patch - * openssl-3-Fix-file-operations-in-c_rehash.patch -- Enable tests: test_req test_verify_store test_ca test_ssl_old - ------------------------------------------------------------------- Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann @@ -932,7 +1263,7 @@ Thu Jul 21 09:09:07 UTC 2022 - Pedro Monreal ------------------------------------------------------------------- Mon Jul 18 12:03:55 UTC 2022 - Pedro Monreal -- Update to 3.0.4: [bsc#1199166, bsc#1200550, CVE-2022-1292, CVE-2022-2068] +- Update to 3.0.4: [bsc#1199166, CVE-2022-1292] * In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection @@ -1003,13 +1334,6 @@ Mon Jul 18 12:03:21 UTC 2022 - Pedro Monreal statistics are no longer supported. For compatibility, these statistics are still listed in the output but are now always reported as zero. -------------------------------------------------------------------- -Thu Jun 2 10:34:59 UTC 2022 - Jason Sikes - -- Added openssl-update_expired_certificates.patch - * Openssl failed tests because of expired certificates. - * bsc#1185637 - ------------------------------------------------------------------- Sat Mar 19 10:05:22 UTC 2022 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index da507d2..054b34c 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,164 +20,146 @@ %define sover 3 %define _rname openssl %define man_suffix 3ssl -%global sslengcnf %{ssletcdir}/engines%{sover}.d -%global sslengdef %{ssletcdir}/engdef%{sover}.d # Enable userspace livepatching. %define livepatchable 1 Name: openssl-3 -# Don't forget to update the version in the "openssl" meta-package! -Version: 3.1.4 +Version: 3.2.3 Release: 0 Summary: Secure Sockets and Transport Layer Security License: Apache-2.0 URL: https://www.openssl.org/ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz +Source1: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc +# https://keys.openpgp.org/search?q=openssl@openssl.org +# BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF +Source2: %{_rname}.keyring # to get mtime of file: -Source1: %{name}.changes -Source2: baselibs.conf -Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc -# https://www.openssl.org/about/ -# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring -Source4: %{_rname}.keyring +Source3: %{name}.changes +Source4: baselibs.conf Source5: showciphers.c -Source6: openssl-Disable-default-provider-for-test-suite.patch +Source6: openssl-TESTS-Disable-default-provider-crypto-policies.patch # PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages Patch1: openssl-no-html-docs.patch Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch -Patch4: openssl-DEFAULT_SUSE_cipher.patch -Patch5: openssl-ppc64-config.patch -Patch6: openssl-no-date.patch +Patch4: openssl-ppc64-config.patch +Patch5: openssl-no-date.patch # Add crypto-policies support -Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -Patch8: openssl-crypto-policies-support.patch -# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW -Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch +Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support -Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch -Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch -# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514 -# POWER10 performance enhancements for cryptography -Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch -Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch -Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch -Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch -Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch -Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch -# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or -# checking excessively long X9.42 DH keys or parameters may be very slow -Patch18: openssl-CVE-2023-5678.patch -# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/22971 -Patch19: openssl-Enable-BTI-feature-for-md5-on-aarch64.patch -# PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC -Patch20: openssl-CVE-2023-6129.patch +Patch7: openssl-Add-FIPS_mode-compatibility-macro.patch +Patch8: openssl-Add-Kernel-FIPS-mode-flag-support.patch # PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly -Patch21: openssl-Force-FIPS.patch +Patch9: openssl-Force-FIPS.patch # PATCH-FIX-FEDORA Disable the fipsinstall command-line utility -Patch22: openssl-disable-fipsinstall.patch +Patch10: openssl-disable-fipsinstall.patch # PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf -Patch23: openssl-load-legacy-provider.patch +Patch11: openssl-load-legacy-provider.patch # PATCH-FIX-FEDORA Embed the FIPS hmac -Patch24: openssl-FIPS-embed-hmac.patch -# PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys -Patch25: openssl-CVE-2023-6237.patch -# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933 - Add engines section in openssl.cnf -Patch26: openssl-3-use-include-directive.patch -# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference -Patch27: openssl-CVE-2024-0727.patch -# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with session handling in TLSv1.3 -Patch28: openssl-CVE-2024-2511.patch -# PATCH-FIX-UPSTREAM: bsc#1224388 CVE-2024-4603: excessive time spent checking DSA keys and parameters -Patch29: openssl-CVE-2024-4603.patch -# PATCH-FIX-UPSTREAM: bsc#1225291 NVMe/TCP TLS connection fails due to handshake failure -Patch30: openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch -Patch31: openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch -# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers -Patch32: openssl-CVE-2024-4741.patch -# PATCH-FIX-UPSTREAM: bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue -Patch33: reproducible.patch -# PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread -Patch34: openssl-CVE-2024-5535.patch +Patch12: openssl-FIPS-embed-hmac.patch # PATCH-FIX-FEDORA bsc#1221786 FIPS: Use of non-Approved Elliptic Curves -Patch35: openssl-Add-changes-to-ectest-and-eccurve.patch -Patch36: openssl-Remove-EC-curves.patch -Patch37: openssl-Disable-explicit-ec.patch -Patch38: openssl-skipped-tests-EC-curves.patch +Patch13: openssl-Add-changes-to-ectest-and-eccurve.patch +Patch14: openssl-Remove-EC-curves.patch +Patch15: openssl-Disable-explicit-ec.patch +Patch16: openssl-skipped-tests-EC-curves.patch # PATCH-FIX-FEDORA bsc#1221753 bsc#1221760 bsc#1221822 FIPS: Extra public/private key checks required by FIPS-140-3 -Patch39: openssl-FIPS-140-3-keychecks.patch +Patch17: openssl-FIPS-140-3-keychecks.patch # PATCH-FIX-FEDORA bsc#1221365 bsc#1221786 bsc#1221787 FIPS: Minimize fips services -Patch40: openssl-FIPS-services-minimize.patch -# PATCH-FIX-SUSE bsc#1221751 FIPS: Add release number to version string -Patch41: openssl-FIPS-release_num_in_version_string.patch +Patch18: openssl-FIPS-services-minimize.patch # PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification -Patch42: openssl-FIPS-early-KATS.patch +Patch19: openssl-FIPS-early-KATS.patch # PATCH-FIX-SUSE bsc#1221787 FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 -Patch43: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch +Patch20: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch # PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures -Patch44: openssl-Allow-disabling-of-SHA1-signatures.patch -Patch45: openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +Patch21: openssl-Allow-disabling-of-SHA1-signatures.patch +# # PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider +Patch22: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch # PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is needed -Patch46: openssl-FIPS-limit-rsa-encrypt.patch -Patch47: openssl-FIPS-Expose-a-FIPS-indicator.patch +Patch23: openssl-FIPS-limit-rsa-encrypt.patch +Patch24: openssl-FIPS-Expose-a-FIPS-indicator.patch # PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification -Patch48: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +Patch25: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch # PATCH-FIX-FEDORA bsc#1221365 bsc#1221760 FIPS: Selftests are required -Patch49: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +Patch26: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch # PATCH-FIX-FEDORA bsc#1221760 FIPS: Selftests are required -Patch50: openssl-FIPS-Use-FFDHE2048-in-self-test.patch +Patch27: openssl-FIPS-Use-FFDHE2048-in-self-test.patch # PATCH-FIX-FEDORA bsc#1220690 bsc#1220693 bsc#1220696 FIPS: Reseed DRBG -Patch51: openssl-FIPS-140-3-DRBG.patch +Patch28: openssl-FIPS-140-3-DRBG.patch # PATCH-FIX-FEDORA bsc#1221752 FIPS: Zeroisation is required -Patch52: openssl-FIPS-140-3-zeroization.patch +Patch29: openssl-FIPS-140-3-zeroization.patch # PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch53: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch -Patch54: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +Patch30: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch +Patch31: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch # PATCH-FIX-FEDORA bsc#1221365 bsc#1221365 FIPS: Service Level Indicator is needed -Patch55: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch +Patch32: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch # PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch56: openssl-FIPS-Add-explicit-indicator-for-key-length.patch +Patch33: openssl-FIPS-Add-explicit-indicator-for-key-length.patch # PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation -Patch57: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +Patch34: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch # PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch58: openssl-FIPS-RSA-disable-shake.patch -Patch59: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch +Patch35: openssl-FIPS-RSA-disable-shake.patch +Patch36: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch # PATCH-FIX-FEDORA bsc#1221824 FIPS: NIST SP 800-56Brev2 Section 6.4.1.2.1 -Patch60: openssl-FIPS-RSA-encapsulate.patch +Patch37: openssl-FIPS-RSA-encapsulate.patch # PATCH-FIX-FEDORA bsc#1221821 FIPS: Disable FIPS 186-4 Domain Parameters -Patch61: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +Patch38: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch # PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed -Patch62: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch +Patch39: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch # PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation -Patch63: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +Patch40: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch # PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed -Patch64: openssl-FIPS-enforce-EMS-support.patch +Patch41: openssl-FIPS-enforce-EMS-support.patch # PATCH-FIX-SUSE bsc#1221824 FIPS: Add check for SP 800-56Brev2 Section 6.4.1.2.1 -Patch65: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +Patch42: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch # PATCH-FIX-SUSE bsc#1220523 FIPS: Port openssl to use jitterentropy -Patch66: openssl-3-jitterentropy-3.4.0.patch +Patch43: openssl-3-jitterentropy-3.4.0.patch # PATCH-FIX-SUSE bsc#1221753 FIPS: Enforce error state -Patch67: openssl-FIPS-Enforce-error-state.patch +Patch44: openssl-FIPS-Enforce-error-state.patch # PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed -Patch68: openssl-FIPS-enforce-security-checks-during-initialization.patch -# PATCH-FIX-SUSE bsc#1221753 bsc#1221760 FIPS: RSA keygen PCT requirements -Patch69: openssl-3-FIPS-PCT_rsa_keygen.patch -# PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider -Patch70: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch -# PATCH-FIX-UPSTREAM: bsc#1229465 CVE-2024-6119: possible denial of service in X.509 name checks -Patch71: openssl-CVE-2024-6119.patch -# PATCH-FIX-UPSTREAM bsc#1230698 CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE -Patch72: openssl-CVE-2024-41996.patch +Patch45: openssl-FIPS-enforce-security-checks-during-initialization.patch +# PATCH-FIX-FEDORA Adapt pairwise tests +Patch46: openssl-skip-quic-pairwise.patch +# PATCH-FIX-UPSTREAM support MSA 12 (SHA3) jsc#PED-10280 +Patch48: openssl-3-add_EVP_DigestSqueeze_api.patch +Patch49: openssl-3-support-multiple-sha3_squeeze_s390x.patch +Patch50: openssl-3-add-xof-state-handling-s3_absorb.patch +Patch51: openssl-3-fix-state-handling-sha3_absorb_s390x.patch +Patch52: openssl-3-fix-state-handling-sha3_final_s390x.patch +Patch53: openssl-3-fix-state-handling-shake_final_s390x.patch +Patch54: openssl-3-fix-state-handling-keccak_final_s390x.patch +Patch55: openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch +Patch56: openssl-3-add-defines-CPACF-funcs.patch +Patch57: openssl-3-add-hw-acceleration-hmac.patch +Patch58: openssl-3-support-CPACF-sha3-shake-perf-improvement.patch +Patch59: openssl-3-fix-s390x_sha3_absorb.patch +Patch60: openssl-3-fix-s390x_shake_squeeze.patch +# PATCH-FIX-UPSTREAM: support MSA 10 XTS jsc#PED-10273 +Patch61: openssl-3-hw-acceleration-aes-xts-s390x.patch +# PATCH-FIX-UPSTREAM: support MSA 11 HMAC jsc#PED-10274 +Patch62: openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch +Patch63: openssl-3-fix-hmac-digest-detection-s390x.patch +Patch64: openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch +# PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280 +Patch65: openssl-3-fix-sha3-squeeze-ppc64.patch +Patch66: openssl-3-fix-quic_multistream_test.patch BuildRequires: pkgconfig -%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 + +# ulp-macros is available according to SUSE version. +%ifarch x86_64 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540 BuildRequires: ulp-macros -%else -# Define ulp-macros macros as empty -%define cflags_livepatching "" -%define pack_ipa_dumps echo "Livepatching is disabled in this build" %endif +%endif +%ifarch ppc64le +%if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570 +BuildRequires: gcc13 +BuildRequires: ulp-macros +%endif +%endif + BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Requires: libopenssl3 = %{version}-%{release} @@ -223,9 +205,9 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl-3-devel Summary: Development files for OpenSSL +Requires: jitterentropy-devel >= 3.4.0 Requires: libopenssl3 = %{version} Requires: pkgconfig(zlib) -Requires: jitterentropy-devel >= 3.4.0 Recommends: %{name} = %{version} Provides: ssl-devel Conflicts: ssl-devel @@ -240,8 +222,8 @@ that want to make use of the OpenSSL C API. %package -n libopenssl-3-fips-provider Summary: OpenSSL FIPS provider -Requires: libopenssl3 >= %{version} Requires: libjitterentropy3 >= 3.4.0 +Requires: libopenssl3 >= %{version} BuildRequires: fipscheck BuildRequires: jitterentropy-devel >= 3.4.0 @@ -271,22 +253,33 @@ export MACHINE=armv5el export MACHINE=armv6l %endif +# In ppc64le we need gcc-13 for userspace livepatching until we have the +# required -fpatchable-functions-entry patch merged into the mainline +%ifarch ppc64le +%if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570 +export CC=gcc-13 +export CXX=g++-13 +%endif +%endif ./Configure \ - no-mdc2 no-ec2m \ - no-afalgeng \ - enable-rfc3779 enable-camellia enable-seed \ + enable-camellia \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-fips \ enable-jitterentropy \ enable-ktls \ + enable-rfc3779 \ + enable-seed \ + no-afalgeng \ + no-ec2m \ + no-mdc2 \ zlib \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ %{optflags} \ - %{cflags_livepatching} \ + %{?cflags_livepatching} \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ @@ -310,14 +303,8 @@ perl configdata.pm --dump %make_build all %check -# Relax the crypto-policies requirements for the regression tests -# Revert patch8 before running tests -patch -p1 -R < %{PATCH8} -# Revert openssl-3-use-include-directive.patch because these directories -# exists only in buildroot but not in build system and some tests are failing -# because of it. -patch -p1 -R < %{PATCH26} -# Disable the default provider for the test suite. +# Relax the crypto-policies requirements and disable the default +# provider for the test suite regression tests patch -p1 < %{SOURCE6} export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 @@ -352,7 +339,7 @@ gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{build LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install -%{pack_ipa_dumps} +%{?pack_ipa_dumps} %make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix} rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover} @@ -363,7 +350,7 @@ for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do done # Remove static libraries -rm -f %{buildroot}%{_libdir}/lib*.a +rm -f %{buildroot}%{_libdir}/*.a # Remove the cnf.dist rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist @@ -376,21 +363,13 @@ cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cn mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl -# Remove the fipsmodule.cnf because FIPS module is loaded automatically +# Remove the fipsmodule.cnf because FIPS module is loaded automatically in FIPS mode rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ -# Create the two directories into which packages will drop their configuration -# files. -mkdir %{buildroot}/%{sslengcnf} -mkdir %{buildroot}/%{sslengdef} -# Create unversioned symbolic links to above directories -ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d -ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d - # Add the FIPS module configuration from crypto-policies since SP6 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600 ln -s %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %{buildroot}%{ssletcdir}/fips_local.cnf @@ -425,17 +404,6 @@ if [ "$1" -gt 1 ] ; then fi %pre -# Migrate old engines.d to engines1.1.d.rpmsave -if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then - mkdir %{ssletcdir}/engines1.1.d.rpmsave ||: - mv %{ssletcdir}/engines.d %{ssletcdir}/engines1.1.d.rpmsave ||: -fi - -# Migrate old engdef.d to engdef1.1.d.rpmsave -if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then - mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||: - mv %{ssletcdir}/engdef.d %{ssletcdir}/engdef1.1.d.rpmsave ||: -fi %post -n libopenssl3 -p /sbin/ldconfig %postun -n libopenssl3 -p /sbin/ldconfig @@ -470,7 +438,7 @@ fi %files %license LICENSE.txt -%doc CHANGES.md NEWS.md FAQ.md README.md +%doc CHANGES.md NEWS.md README.md %dir %{ssletcdir} %config %{ssletcdir}/openssl-orig.cnf %config (noreplace) %{ssletcdir}/openssl.cnf @@ -479,11 +447,6 @@ fi %config %{ssletcdir}/fips_local.cnf %endif %attr(700,root,root) %{ssletcdir}/private -%dir %{sslengcnf} -%dir %{sslengdef} -# symbolic link to above directories -%{ssletcdir}/engines.d -%{ssletcdir}/engdef.d %dir %{_datadir}/ssl %{_datadir}/ssl/misc %dir %{_localstatedir}/lib/ca-certificates/ diff --git a/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch b/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch index 6f2ad6f..02399c6 100644 --- a/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch +++ b/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch @@ -1,16 +1,47 @@ -From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 31 Jul 2023 09:41:29 +0200 -Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators -Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch -Patch-id: 78 -Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 --- include/crypto/evp.h | 7 ++ - include/openssl/core_names.h | 1 + include/openssl/kdf.h | 4 + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- @@ -18,12 +49,13 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + 9 files changed, 487 insertions(+), 22 deletions(-) -Index: openssl-3.1.4/include/crypto/evp.h -=================================================================== ---- openssl-3.1.4.orig/include/crypto/evp.h -+++ openssl-3.1.4/include/crypto/evp.h +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index e70d8e9e84..76fb990de4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h @@ -219,6 +219,13 @@ struct evp_mac_st { OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; }; @@ -38,23 +70,11 @@ Index: openssl-3.1.4/include/crypto/evp.h struct evp_kdf_st { OSSL_PROVIDER *prov; int name_id; -Index: openssl-3.1.4/include/openssl/core_names.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -226,6 +226,7 @@ extern "C" { - #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" - #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" - #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" -+#define OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" - - /* Known KDF names */ - #define OSSL_KDF_NAME_HKDF "HKDF" -Index: openssl-3.1.4/include/openssl/kdf.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/kdf.h -+++ openssl-3.1.4/include/openssl/kdf.h -@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF * +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 @@ -65,11 +85,11 @@ Index: openssl-3.1.4/include/openssl/kdf.h #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 -Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c -@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index dfa7786bde..f01e40ff5a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; @@ -77,7 +97,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; -@@ -86,6 +87,10 @@ typedef struct { +@@ -85,6 +86,10 @@ typedef struct { size_t data_len; unsigned char *info; size_t info_len; @@ -88,7 +108,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c } KDF_HKDF; static void *kdf_hkdf_new(void *provctx) -@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, u +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } @@ -100,7 +120,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: default: -@@ -363,13 +373,15 @@ static int kdf_hkdf_get_ctx_params(void +@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void { KDF_HKDF *ctx = (KDF_HKDF *)vctx; OSSL_PARAM *p; @@ -109,21 +129,20 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { size_t sz = kdf_hkdf_size(ctx); -- if (sz == 0) + any_valid = 1; -+ -+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) + if (sz == 0) return 0; -- return OSSL_PARAM_set_size_t(p, sz); + return OSSL_PARAM_set_size_t(p, sz); } if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ any_valid = 1; if (ctx->info == NULL || ctx->info_len == 0) { -@@ -378,7 +390,68 @@ static int kdf_hkdf_get_ctx_params(void + p->return_size = 0; + return 1; } return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); } - return -2; -+ +#ifdef FIPS_MODULE + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR)) + != NULL) { @@ -188,7 +207,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c } static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -387,6 +460,9 @@ static const OSSL_PARAM *kdf_hkdf_gettab +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), @@ -198,7 +217,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c OSSL_PARAM_END }; return known_gettable_ctx_params; -@@ -717,6 +793,17 @@ static int prov_tls13_hkdf_generate_secr +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, return ret; } @@ -216,7 +235,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { -@@ -732,6 +819,11 @@ static int kdf_tls1_3_derive(void *vctx, +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } @@ -228,7 +247,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c switch (ctx->mode) { default: return 0; -@@ -809,7 +901,7 @@ static const OSSL_PARAM *kdf_tls1_3_sett +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, } const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { @@ -237,10 +256,10 @@ Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, -Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/kbkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/kbkdf.c +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index a542f84dfa..6b6dfb94ac 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c @@ -59,6 +59,9 @@ typedef struct { kbkdf_mode mode; EVP_MAC_CTX *ctx_init; @@ -251,7 +270,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c /* Names are lowercased versions of those found in SP800-108. */ int r; unsigned char *ki; -@@ -72,6 +75,9 @@ typedef struct { +@@ -73,6 +76,9 @@ typedef struct { int use_l; int is_kmac; int use_separator; @@ -261,7 +280,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c } KBKDF; /* Definitions needed for typechecking. */ -@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx) +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) void *provctx = ctx->provctx; EVP_MAC_CTX_free(ctx->ctx_init); @@ -269,7 +288,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c OPENSSL_clear_free(ctx->context, ctx->context_len); OPENSSL_clear_free(ctx->label, ctx->label_len); OPENSSL_clear_free(ctx->ki, ctx->ki_len); -@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsi +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, goto done; } @@ -281,7 +300,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); if (h == 0) goto done; -@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vc +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } @@ -291,7 +310,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); if (p != NULL && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { -@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { OSSL_PARAM *p; @@ -374,11 +393,11 @@ Index: openssl-3.1.4/providers/implementations/kdfs/kbkdf.c return known_gettable_ctx_params; } -Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/sshkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/sshkdf.c -@@ -49,6 +49,9 @@ typedef struct { +diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c +index c592ba72f1..4a52b38266 100644 +--- a/providers/implementations/kdfs/sshkdf.c ++++ b/providers/implementations/kdfs/sshkdf.c +@@ -48,6 +48,9 @@ typedef struct { char type; /* X */ unsigned char *session_id; size_t session_id_len; @@ -388,7 +407,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c } KDF_SSHKDF; static void *kdf_sshkdf_new(void *provctx) -@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); return 0; } @@ -401,7 +420,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c return SSHKDF(md, ctx->key, ctx->key_len, ctx->xcghash, ctx->xcghash_len, ctx->session_id, ctx->session_id_len, -@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_sett +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { OSSL_PARAM *p; @@ -472,7 +491,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c } static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gett +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -482,11 +501,11 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sshkdf.c OSSL_PARAM_END }; return known_gettable_ctx_params; -Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/sskdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/sskdf.c -@@ -63,6 +63,10 @@ typedef struct { +diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c +index eb54972e1c..23865cd70f 100644 +--- a/providers/implementations/kdfs/sskdf.c ++++ b/providers/implementations/kdfs/sskdf.c +@@ -64,6 +64,10 @@ typedef struct { size_t salt_len; size_t out_len; /* optional KMAC parameter */ int is_kmac; @@ -505,7 +524,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_reset_fn sskdf_reset; -@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx) +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) return ctx; } @@ -522,7 +541,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c static void sskdf_reset(void *vctx) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; -@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsi +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, } md = ossl_prov_digest_md(&ctx->digest); @@ -534,7 +553,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c if (ctx->macctx != NULL) { /* H(x) = KMAC or H(x) = HMAC */ int ret; -@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, un +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } @@ -546,7 +565,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, ctx->info, ctx->info_len, 1, key, keylen); } -@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vc +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; OSSL_PARAM *p; @@ -624,7 +643,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c } static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -634,7 +653,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c OSSL_PARAM_END }; return known_gettable_ctx_params; -@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_funct +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { }; const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { @@ -643,11 +662,11 @@ Index: openssl-3.1.4/providers/implementations/kdfs/sskdf.c { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, -Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c -+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -@@ -104,6 +104,13 @@ typedef struct { +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index a4d64b9352..f6782a6ca2 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -93,6 +93,13 @@ typedef struct { /* Buffer of concatenated seed data */ unsigned char seed[TLS1_PRF_MAXBUF]; size_t seedlen; @@ -661,7 +680,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c } TLS1_PRF; static void *kdf_tls1_prf_new(void *provctx) -@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vct +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) EVP_MAC_CTX_free(ctx->P_sha1); OPENSSL_clear_free(ctx->sec, ctx->seclen); OPENSSL_cleanse(ctx->seed, ctx->seedlen); @@ -669,7 +688,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c memset(ctx, 0, sizeof(*ctx)); ctx->provctx = provctx; } -@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vct +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); return 0; } @@ -680,7 +699,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c /* * The seed buffer is prepended with a label. -@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(v +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } @@ -690,7 +709,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { OPENSSL_clear_free(ctx->sec, ctx->seclen); ctx->sec = NULL; -@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_se +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { OSSL_PARAM *p; @@ -754,7 +773,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c } static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( -@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_ge +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -764,10 +783,10 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c OSSL_PARAM_END }; return known_gettable_ctx_params; -Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/x942kdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/x942kdf.c +diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c +index b1bc6f7e1b..8173fc2cc7 100644 +--- a/providers/implementations/kdfs/x942kdf.c ++++ b/providers/implementations/kdfs/x942kdf.c @@ -13,11 +13,13 @@ #include #include @@ -782,7 +801,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c #include "prov/provider_ctx.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -49,6 +51,9 @@ typedef struct { +@@ -47,6 +50,9 @@ typedef struct { const unsigned char *cek_oid; size_t cek_oid_len; int use_keybits; @@ -792,7 +811,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c } KDF_X942; /* -@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, un +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); return 0; } @@ -803,7 +822,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, der, der_len, ctr, key, keylen); OPENSSL_free(der); -@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void * +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { KDF_X942 *ctx = (KDF_X942 *)vctx; OSSL_PARAM *p; @@ -865,7 +884,7 @@ Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c } static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettabl +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -875,3 +894,18 @@ Index: openssl-3.1.4/providers/implementations/kdfs/x942kdf.c OSSL_PARAM_END }; return known_gettable_ctx_params; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 70f7c50fe4..6618122417 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -183,6 +183,7 @@ my %params = ( + 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", + 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", + 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", ++ 'KDF_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", + 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", + 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", + 'KDF_PARAM_THREADS' => "threads", # uint32_t +-- +2.39.2 + diff --git a/openssl-Add-Kernel-FIPS-mode-flag-support.patch b/openssl-Add-Kernel-FIPS-mode-flag-support.patch index 94a80cf..3f2da76 100644 --- a/openssl-Add-Kernel-FIPS-mode-flag-support.patch +++ b/openssl-Add-Kernel-FIPS-mode-flag-support.patch @@ -13,12 +13,12 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd include/internal/provider.h | 3 +++ 2 files changed, 39 insertions(+) -diff --git a/crypto/context.c b/crypto/context.c -index e294ea1512..51002ba79a 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -16,6 +16,41 @@ - #include "internal/provider.h" +Index: openssl-3.2.3/crypto/context.c +=================================================================== +--- openssl-3.2.3.orig/crypto/context.c ++++ openssl-3.2.3/crypto/context.c +@@ -17,6 +17,40 @@ + #include "crypto/decoder.h" #include "crypto/context.h" +# include @@ -33,33 +33,32 @@ index e294ea1512..51002ba79a 100644 + +static void read_kernel_fips_flag(void) +{ -+ char buf[2] = "0"; -+ int fd; ++ char buf[2] = "0"; ++ int fd; + -+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } ++ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } + -+ if (buf[0] == '1') { -+ kernel_fips_flag = 1; -+ } ++ if (buf[0] == '1') { ++ kernel_fips_flag = 1; ++ } + -+ return; ++ return; +} + +int ossl_get_kernel_fips_flag() +{ -+ return kernel_fips_flag; ++ return kernel_fips_flag; +} -+ + struct ossl_lib_ctx_st { CRYPTO_RWLOCK *lock, *rand_crngt_lock; OSSL_EX_DATA_GLOBAL global; -@@ -336,6 +371,7 @@ static int default_context_inited = 0; +@@ -368,6 +402,7 @@ static int default_context_inited = 0; DEFINE_RUN_ONCE_STATIC(default_context_do_init) { @@ -67,11 +66,11 @@ index e294ea1512..51002ba79a 100644 if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) goto err; -diff --git a/include/internal/provider.h b/include/internal/provider.h -index 18937f84c7..1446bf7afb 100644 ---- a/include/internal/provider.h -+++ b/include/internal/provider.h -@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, +Index: openssl-3.2.3/include/internal/provider.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/provider.h ++++ openssl-3.2.3/include/internal/provider.h +@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); @@ -81,6 +80,3 @@ index 18937f84c7..1446bf7afb 100644 # ifdef __cplusplus } # endif --- -2.41.0 - diff --git a/openssl-Add-changes-to-ectest-and-eccurve.patch b/openssl-Add-changes-to-ectest-and-eccurve.patch index 1544caf..0fb737c 100644 --- a/openssl-Add-changes-to-ectest-and-eccurve.patch +++ b/openssl-Add-changes-to-ectest-and-eccurve.patch @@ -1135,9 +1135,9 @@ index afef85b0e6..4890b0555e 100644 || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" @@ -3015,7 +2857,7 @@ int setup_tests(void) - return 0; ADD_TEST(parameter_test); + ADD_TEST(ossl_parameter_test); - ADD_TEST(cofactor_range_test); + /* ADD_TEST(cofactor_range_test); */ ADD_ALL_TESTS(cardinality_test, crv_len); @@ -1145,4 +1145,3 @@ index afef85b0e6..4890b0555e 100644 #ifndef OPENSSL_NO_EC2M -- 2.41.0 - diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 1bb6aee..ab6ed6d 100644 --- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -15,9 +15,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist util/libcrypto.num | 1 8 files changed, 110 insertions(+), 14 deletions(-) ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -28,7 +30,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -36,14 +38,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} ---- a/Configure -+++ b/Configure +Index: openssl-3.2.3/Configure +=================================================================== +--- openssl-3.2.3.orig/Configure ++++ openssl-3.2.3/Configure @@ -27,7 +27,7 @@ use OpenSSL::config; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; my $banner = <<"EOF"; @@ -58,7 +62,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -387,6 +391,7 @@ $config{prefix}=""; +@@ -393,6 +397,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -66,7 +70,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -989,6 +994,10 @@ while (@argvcopy) +@@ -1047,6 +1052,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } @@ -77,9 +81,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist elsif (/^--banner=(.*)$/) { $banner = $1 . "\n"; ---- a/doc/man1/openssl-ciphers.pod.in -+++ b/doc/man1/openssl-ciphers.pod.in -@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher s +Index: openssl-3.2.3/doc/man1/openssl-ciphers.pod.in +=================================================================== +--- openssl-3.2.3.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.2.3/doc/man1/openssl-ciphers.pod.in +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher s The cipher suites not enabled by B, currently B. @@ -95,9 +101,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist =item B "High" encryption cipher suites. This currently means those with key lengths ---- a/include/openssl/ssl.h.in -+++ b/include/openssl/ssl.h.in -@@ -213,6 +213,11 @@ extern "C" { +Index: openssl-3.2.3/include/openssl/ssl.h.in +=================================================================== +--- openssl-3.2.3.orig/include/openssl/ssl.h.in ++++ openssl-3.2.3/include/openssl/ssl.h.in +@@ -214,6 +214,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) */ @@ -109,9 +117,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c +Index: openssl-3.2.3/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.2.3.orig/ssl/ssl_ciph.c ++++ openssl-3.2.3/ssl/ssl_ciph.c +@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -165,7 +175,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -193,16 +203,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* * To reduce the work to do we only want to process the compiled -@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; +@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -212,18 +222,17 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1610,8 +1666,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(co_list); - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); - return NULL; /* Failure */ + goto err; } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1644,8 +1699,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -233,7 +242,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1653,10 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -249,7 +258,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1708,6 +1765,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -264,9 +273,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx +Index: openssl-3.2.3/ssl/ssl_lib.c +=================================================================== +--- openssl-3.2.3.orig/ssl/ssl_lib.c ++++ openssl-3.2.3/ssl/ssl_lib.c +@@ -670,7 +670,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -275,7 +286,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li +@@ -3955,7 +3955,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -283,10 +294,12 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; ---- a/test/cipherlist_test.c -+++ b/test/cipherlist_test.c -@@ -246,7 +246,9 @@ end: + goto err; +Index: openssl-3.2.3/test/cipherlist_test.c +=================================================================== +--- openssl-3.2.3.orig/test/cipherlist_test.c ++++ openssl-3.2.3/test/cipherlist_test.c +@@ -261,7 +261,9 @@ end: int setup_tests(void) { @@ -295,11 +308,42 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist +#endif ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); - return 1; ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: + ADD_TEST(test_stdname_cipherlist); +Index: openssl-3.2.3/util/libcrypto.num +=================================================================== +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5536,3 +5536,4 @@ X509_STORE_CTX_set_get_crl + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: +Index: openssl-3.2.3/apps/openssl.cnf +=================================================================== +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -52,6 +52,12 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module ++alg_section = evp_properties ++ ++[ evp_properties ] ++# This section is intentionally added empty here to be tuned on particular systems + + # List of providers to load + [provider_sect] +@@ -71,6 +76,11 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++system_default = crypto_policy ++ ++[ crypto_policy ] ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-Add_support_for_Windows_CA_certificate_store.patch b/openssl-Add_support_for_Windows_CA_certificate_store.patch deleted file mode 100644 index cd143e0..0000000 --- a/openssl-Add_support_for_Windows_CA_certificate_store.patch +++ /dev/null @@ -1,743 +0,0 @@ -From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Fri, 8 Apr 2022 13:10:52 +0100 -Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI - env - -Fixes #18068. ---- - CHANGES.md | 21 - Configure | 7 - crypto/x509/by_dir.c | 17 - crypto/x509/by_store.c | 14 - crypto/x509/x509_def.c | 15 - doc/build.info | 6 - doc/man3/X509_get_default_cert_file.pod | 113 +++++ - include/internal/cryptlib.h | 11 - include/internal/e_os.h | 2 - include/openssl/x509.h.in | 3 - providers/implementations/include/prov/implementations.h | 1 - providers/implementations/storemgmt/build.info | 3 - providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++ - providers/stores.inc | 3 - util/libcrypto.num | 3 - util/missingcrypto.txt | 4 - 16 files changed, 536 insertions(+), 14 deletions(-) - ---- a/CHANGES.md -+++ b/CHANGES.md -@@ -24,6 +24,27 @@ OpenSSL 3.1 - - ### Changes between 3.1.0 and 3.1.1 [30 May 2023] - -+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced. -+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The -+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of -+ paths which are searched for root certificates. -+ -+ The existing `SSL_CERT_DIR` environment variable is deprecated. -+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated -+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes -+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate -+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored -+ for the purposes of determining root certificate stores. -+ -+ *Hugo Landau* -+ -+ * Support for loading root certificates from the Windows certificate store -+ has been added. The support is in the form of a store which recognises the -+ URI string of `org.openssl.winstore://`. This store is enabled by default and -+ can be disabled using the new compile-time option `no-winstore`. -+ -+ *Hugo Landau* -+ - * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic - OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. - ---- a/Configure -+++ b/Configure -@@ -420,6 +420,7 @@ my @disablables = ( - "cached-fetch", - "camellia", - "capieng", -+ "winstore", - "cast", - "chacha", - "cmac", -@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) { - } - } - -+unless ($disabled{winstore}) { -+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) { -+ disable('not-windows', 'winstore'); -+ } -+} -+ - push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); - - # Get the extra flags used when building shared libraries and modules. We ---- a/crypto/x509/by_dir.c -+++ b/crypto/x509/by_dir.c -@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { -- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ /* If SSL_CERT_PATH is provided and non-empty, use that. */ -+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env()); - -- if (dir) -- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); -- else -- ret = add_cert_dir(ld, X509_get_default_cert_dir(), -- X509_FILETYPE_PEM); -+ /* Fallback to SSL_CERT_DIR. */ -+ if (dir == NULL) -+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ -+ /* Fallback to built-in default. */ -+ if (dir == NULL) -+ dir = X509_get_default_cert_dir(); -+ -+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - if (!ret) { - ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR); - } ---- a/crypto/x509/by_store.c -+++ b/crypto/x509/by_store.c -@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP - { - switch (cmd) { - case X509_L_ADD_STORE: -- /* If no URI is given, use the default cert dir as default URI */ -+ /* First try the newer default cert URI envvar. */ -+ if (argp == NULL) -+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env()); -+ -+ /* If not set, see if we have a URI in the older cert dir envvar. */ - if (argp == NULL) - argp = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ -+ /* Fallback to default store URI. */ - if (argp == NULL) -- argp = X509_get_default_cert_dir(); -+ argp = X509_get_default_cert_uri(); -+ -+ /* No point adding an empty URI. */ -+ if (!*argp) -+ return 1; - - { - STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); ---- a/crypto/x509/x509_def.c -+++ b/crypto/x509/x509_def.c -@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v - return X509_CERT_AREA; - } - -+const char *X509_get_default_cert_uri(void) -+{ -+ return X509_CERT_URI; -+} -+ - const char *X509_get_default_cert_dir(void) - { - return X509_CERT_DIR; -@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v - return X509_CERT_FILE; - } - -+const char *X509_get_default_cert_uri_env(void) -+{ -+ return X509_CERT_URI_EVP; -+} -+ -+const char *X509_get_default_cert_path_env(void) -+{ -+ return X509_CERT_PATH_EVP; -+} -+ - const char *X509_get_default_cert_dir_env(void) - { - return X509_CERT_DIR_EVP; ---- a/doc/build.info -+++ b/doc/build.info -@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma - GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod - DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod - GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod -+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod -+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod -+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod -+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod - DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod - GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod - DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod -@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht - html/man3/X509_get0_notBefore.html \ - html/man3/X509_get0_signature.html \ - html/man3/X509_get0_uids.html \ -+html/man3/X509_get_default_cert_file.html \ - html/man3/X509_get_extension_flags.html \ - html/man3/X509_get_pubkey.html \ - html/man3/X509_get_serialNumber.html \ -@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \ - man/man3/X509_get0_notBefore.3 \ - man/man3/X509_get0_signature.3 \ - man/man3/X509_get0_uids.3 \ -+man/man3/X509_get_default_cert_file.3 \ - man/man3/X509_get_extension_flags.3 \ - man/man3/X509_get_pubkey.3 \ - man/man3/X509_get_serialNumber.3 \ ---- /dev/null -+++ b/doc/man3/X509_get_default_cert_file.pod -@@ -0,0 +1,113 @@ -+=pod -+ -+=head1 NAME -+ -+X509_get_default_cert_file, X509_get_default_cert_file_env, -+X509_get_default_cert_path_env, -+X509_get_default_cert_dir, X509_get_default_cert_dir_env, -+X509_get_default_cert_uri, X509_get_default_cert_uri_env - -+retrieve default locations for trusted CA certificates -+ -+=head1 SYNOPSIS -+ -+ #include -+ -+ const char *X509_get_default_cert_file(void); -+ const char *X509_get_default_cert_dir(void); -+ const char *X509_get_default_cert_uri(void); -+ -+ const char *X509_get_default_cert_file_env(void); -+ const char *X509_get_default_cert_path_env(void); -+ const char *X509_get_default_cert_dir_env(void); -+ const char *X509_get_default_cert_uri_env(void); -+ -+=head1 DESCRIPTION -+ -+The X509_get_default_cert_file() function returns the default path -+to a file containing trusted CA certificates. OpenSSL will use this as -+the default path when it is asked to load trusted CA certificates -+from a file and no other path is specified. If the file exists, CA certificates -+are loaded from the file. -+ -+The X509_get_default_cert_dir() function returns a default delimeter-separated -+list of paths to a directories containing trusted CA certificates named in the -+hashed format. OpenSSL will use this as the default list of paths when it is -+asked to load trusted CA certificates from a directory and no other path is -+specified. If a given directory in the list exists, OpenSSL attempts to lookup -+CA certificates in this directory by calculating a filename based on a hash of -+the certificate's subject name. -+ -+The X509_get_default_cert_uri() function returns the default URI for a -+certificate store accessed programmatically via an OpenSSL provider. If there is -+no default store applicable to the system for which OpenSSL was compiled, this -+returns an empty string. -+ -+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return -+environment variable names which are recommended to specify nondefault values to -+be used instead of the values returned by X509_get_default_cert_file() and -+X509_get_default_cert_uri() respectively. The values returned by the latter -+functions are not affected by these environment variables; you must check for -+these environment variables yourself, using these functions to retrieve the -+correct environment variable names. If an environment variable is not set, the -+value returned by the corresponding function above should be used. -+ -+X509_get_default_cert_path_env() returns the environment variable name which is -+recommended to specify a nondefault value to be used instead of the value -+returned by X509_get_default_cert_dir(). This environment variable supercedes -+the deprecated environment variable whose name is returned by -+X509_get_default_cert_dir_env(). This environment variable was deprecated as its -+contents can be interpreted ambiguously; see NOTES. -+ -+By default, OpenSSL uses the path list specified in the environment variable -+whose name is returned by X509_get_default_cert_path_env() if it is set; -+otherwise, it uses the path list specified in the environment variable whose -+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it -+uses the value returned by X509_get_default_cert_dir()). -+ -+=head1 NOTES -+ -+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and -+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this -+release, store URIs were expressed via the environment variable returned by -+X509_get_default_cert_dir_env(); this environment variable could be used to -+specify either a list of directories or a store URI. This creates an ambiguity -+in which the environment variable returned by X509_get_default_cert_dir_env() is -+interpreted both as a list of directories and as a store URI. -+ -+This usage and the environment variable returned by -+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use -+the environment variable returned by X509_get_default_cert_uri_env(), and to -+specify a list of directories, use the environment variable returned by -+X509_get_default_cert_path_env(). -+ -+=head1 RETURN VALUES -+ -+These functions return pointers to constant strings with static storage -+duration. -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and -+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1. -+ -+=head1 COPYRIGHT -+ -+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -13,6 +13,8 @@ - - # include - # include -+# include "openssl/configuration.h" -+# include "internal/e_os.h" /* ossl_inline in many files */ - - # ifdef OPENSSL_USE_APPLINK - # define BIO_FLAGS_UPLINK_INTERNAL 0x8000 -@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM); - # define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf" - # endif - -+#ifndef OPENSSL_NO_WINSTORE -+# define X509_CERT_URI "org.openssl.winstore://" -+#else -+# define X509_CERT_URI "" -+#endif -+ -+# define X509_CERT_URI_EVP "SSL_CERT_URI" -+# define X509_CERT_PATH_EVP "SSL_CERT_PATH" - # define X509_CERT_DIR_EVP "SSL_CERT_DIR" - # define X509_CERT_FILE_EVP "SSL_CERT_FILE" - # define CTLOG_FILE_EVP "CTLOG_FILE" -@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_ - # endif - return path[0] == '/'; - } -- - #endif ---- a/include/internal/e_os.h -+++ b/include/internal/e_os.h -@@ -249,7 +249,7 @@ FILE *__iob_func(); - /***********************************************/ - - # if defined(OPENSSL_SYS_WINDOWS) --# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) -+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE) - # define open _open - # define fdopen _fdopen - # define close _close ---- a/include/openssl/x509.h.in -+++ b/include/openssl/x509.h.in -@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s - ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); - - const char *X509_get_default_cert_area(void); -+const char *X509_get_default_cert_uri(void); - const char *X509_get_default_cert_dir(void); - const char *X509_get_default_cert_file(void); -+const char *X509_get_default_cert_uri_env(void); -+const char *X509_get_default_cert_path_env(void); - const char *X509_get_default_cert_dir_env(void); - const char *X509_get_default_cert_file_env(void); - const char *X509_get_default_private_dir(void); ---- a/providers/implementations/include/prov/implementations.h -+++ b/providers/implementations/include/prov/implementations.h -@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP - extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[]; - - extern const OSSL_DISPATCH ossl_file_store_functions[]; -+extern const OSSL_DISPATCH ossl_winstore_store_functions[]; ---- a/providers/implementations/storemgmt/build.info -+++ b/providers/implementations/storemgmt/build.info -@@ -4,3 +4,6 @@ - $STORE_GOAL=../../libdefault.a - - SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c -+IF[{- !$disabled{winstore} -}] -+ SOURCE[$STORE_GOAL]=winstore_store.c -+ENDIF ---- /dev/null -+++ b/providers/implementations/storemgmt/winstore_store.c -@@ -0,0 +1,327 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include /* The OSSL_STORE_INFO type numbers */ -+#include "internal/cryptlib.h" -+#include "internal/o_dir.h" -+#include "crypto/decoder.h" -+#include "crypto/ctype.h" /* ossl_isdigit() */ -+#include "prov/implementations.h" -+#include "prov/bio.h" -+#include "file_store_local.h" -+ -+#include -+ -+enum { -+ STATE_IDLE, -+ STATE_READ, -+ STATE_EOF, -+}; -+ -+struct winstore_ctx_st { -+ void *provctx; -+ char *propq; -+ unsigned char *subject; -+ size_t subject_len; -+ -+ HCERTSTORE win_store; -+ const CERT_CONTEXT *win_ctx; -+ int state; -+ -+ OSSL_DECODER_CTX *dctx; -+}; -+ -+static void winstore_win_reset(struct winstore_ctx_st *ctx) -+{ -+ if (ctx->win_ctx != NULL) { -+ CertFreeCertificateContext(ctx->win_ctx); -+ ctx->win_ctx = NULL; -+ } -+ -+ ctx->state = STATE_IDLE; -+} -+ -+static void winstore_win_advance(struct winstore_ctx_st *ctx) -+{ -+ CERT_NAME_BLOB name = {0}; -+ -+ if (ctx->state == STATE_EOF) -+ return; -+ -+ name.cbData = ctx->subject_len; -+ name.pbData = ctx->subject; -+ -+ ctx->win_ctx = (name.cbData == 0 ? NULL : -+ CertFindCertificateInStore(ctx->win_store, -+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, -+ 0, CERT_FIND_SUBJECT_NAME, -+ &name, ctx->win_ctx)); -+ -+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ; -+} -+ -+static void *winstore_open(void *provctx, const char *uri) -+{ -+ struct winstore_ctx_st *ctx = NULL; -+ -+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:")) -+ return NULL; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx == NULL) -+ return NULL; -+ -+ ctx->provctx = provctx; -+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT"); -+ if (ctx->win_store == NULL) { -+ OPENSSL_free(ctx); -+ return NULL; -+ } -+ -+ winstore_win_reset(ctx); -+ return ctx; -+} -+ -+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin) -+{ -+ return NULL; /* not supported */ -+} -+ -+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[]) -+{ -+ static const OSSL_PARAM known_settable_ctx_params[] = { -+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), -+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), -+ OSSL_PARAM_END -+ }; -+ return known_settable_ctx_params; -+} -+ -+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ const OSSL_PARAM *p; -+ int do_reset = 0; -+ -+ if (params == NULL) -+ return 1; -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); -+ if (p != NULL) { -+ do_reset = 1; -+ OPENSSL_free(ctx->propq); -+ ctx->propq = NULL; -+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0)) -+ return 0; -+ } -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT); -+ if (p != NULL) { -+ const unsigned char *der = NULL; -+ size_t der_len = 0; -+ -+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len)) -+ return 0; -+ -+ do_reset = 1; -+ -+ OPENSSL_free(ctx->subject); -+ -+ ctx->subject = OPENSSL_malloc(der_len); -+ if (ctx->subject == NULL) { -+ ctx->subject_len = 0; -+ return 0; -+ } -+ -+ ctx->subject_len = der_len; -+ memcpy(ctx->subject, der, der_len); -+ } -+ -+ if (do_reset) { -+ winstore_win_reset(ctx); -+ winstore_win_advance(ctx); -+ } -+ -+ return 1; -+} -+ -+struct load_data_st { -+ OSSL_CALLBACK *object_cb; -+ void *object_cbarg; -+}; -+ -+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst, -+ const OSSL_PARAM *params, void *construct_data) -+{ -+ struct load_data_st *data = construct_data; -+ return data->object_cb(params, data->object_cbarg); -+} -+ -+static void load_cleanup(void *construct_data) -+{ -+ /* No-op. */ -+} -+ -+static int setup_decoder(struct winstore_ctx_st *ctx) -+{ -+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); -+ const OSSL_ALGORITHM *to_algo = NULL; -+ -+ if (ctx->dctx != NULL) -+ return 1; -+ -+ ctx->dctx = OSSL_DECODER_CTX_new(); -+ if (ctx->dctx == NULL) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ for (to_algo = ossl_any_to_obj_algorithm; -+ to_algo->algorithm_names != NULL; -+ to_algo++) { -+ OSSL_DECODER *to_obj = NULL; -+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL; -+ -+ /* -+ * Create the internal last resort decoder implementation -+ * together with a "decoder instance". -+ * The decoder doesn't need any identification or to be -+ * attached to any provider, since it's only used locally. -+ */ -+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL); -+ if (to_obj != NULL) -+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); -+ -+ OSSL_DECODER_free(to_obj); -+ if (to_obj_inst == NULL) -+ goto err; -+ -+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx, -+ to_obj_inst)) { -+ ossl_decoder_instance_free(to_obj_inst); -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ } -+ -+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ return 1; -+ -+err: -+ OSSL_DECODER_CTX_free(ctx->dctx); -+ ctx->dctx = NULL; -+ return 0; -+} -+ -+static int winstore_load_using(struct winstore_ctx_st *ctx, -+ OSSL_CALLBACK *object_cb, void *object_cbarg, -+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg, -+ const void *der, size_t der_len) -+{ -+ struct load_data_st data; -+ const unsigned char *der_ = der; -+ size_t der_len_ = der_len; -+ -+ if (setup_decoder(ctx) == 0) -+ return 0; -+ -+ data.object_cb = object_cb; -+ data.object_cbarg = object_cbarg; -+ -+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data); -+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg); -+ -+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0) -+ return 0; -+ -+ return 1; -+} -+ -+static int winstore_load(void *loaderctx, -+ OSSL_CALLBACK *object_cb, void *object_cbarg, -+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) -+{ -+ int ret = 0; -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ if (ctx->state != STATE_READ) -+ return 0; -+ -+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg, -+ ctx->win_ctx->pbCertEncoded, -+ ctx->win_ctx->cbCertEncoded); -+ -+ if (ret == 1) -+ winstore_win_advance(ctx); -+ -+ return ret; -+} -+ -+static int winstore_eof(void *loaderctx) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ return ctx->state != STATE_READ; -+} -+ -+static int winstore_close(void *loaderctx) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ winstore_win_reset(ctx); -+ CertCloseStore(ctx->win_store, 0); -+ OSSL_DECODER_CTX_free(ctx->dctx); -+ OPENSSL_free(ctx->propq); -+ OPENSSL_free(ctx->subject); -+ OPENSSL_free(ctx); -+ return 1; -+} -+ -+const OSSL_DISPATCH ossl_winstore_store_functions[] = { -+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open }, -+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach }, -+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params }, -+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params }, -+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load }, -+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof }, -+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close }, -+ { 0, NULL }, -+}; ---- a/providers/stores.inc -+++ b/providers/stores.inc -@@ -12,3 +12,6 @@ - #endif - - STORE("file", "yes", ossl_file_store_functions) -+#ifndef OPENSSL_NO_WINSTORE -+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions) -+#endif ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION: -+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: -+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ---- a/util/missingcrypto.txt -+++ b/util/missingcrypto.txt -@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3) - X509_get1_email(3) - X509_get1_ocsp(3) - X509_get_default_cert_area(3) --X509_get_default_cert_dir(3) --X509_get_default_cert_dir_env(3) --X509_get_default_cert_file(3) --X509_get_default_cert_file_env(3) - X509_get_default_private_dir(3) - X509_get_pubkey_parameters(3) - X509_get_signature_type(3) diff --git a/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch deleted file mode 100644 index 7779fba..0000000 --- a/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ /dev/null @@ -1,217 +0,0 @@ -From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Tue, 1 Mar 2022 15:44:18 +0100 -Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes - -NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1 -in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because -on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level -to 2. - -On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security -level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and -we want the legacy crypto policy to allow SHA-1 in TLS, the only option -to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is -SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to -allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which -will allow SHA-1 in OpenSSL 3). - -The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because -rh-allow-sha1-signatures will default to yes in Fedora (according to our -current plans including until F38), and the security level in the -DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the -default configuration. - -Related: rhbz#2055796 -Related: rhbz#2070977 ---- - crypto/x509/x509_vfy.c | 20 ++++++++++- - doc/man5/config.pod | 7 ++++ - ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- - test/recipes/25-test_verify.t | 4 +-- - 4 files changed, 82 insertions(+), 16 deletions(-) - -Index: openssl-3.1.4/crypto/x509/x509_vfy.c -=================================================================== ---- openssl-3.1.4.orig/crypto/x509/x509_vfy.c -+++ openssl-3.1.4/crypto/x509/x509_vfy.c -@@ -25,6 +25,7 @@ - #include - #include - #include "internal/dane.h" -+#include "internal/sslconf.h" - #include "crypto/x509.h" - #include "x509_local.h" - -@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT - { - int secbits = -1; - int level = ctx->param->auth_level; -+ int nid; -+ OSSL_LIB_CTX *libctx = NULL; - - if (level <= 0) - return 1; - if (level > NUM_AUTH_LEVELS) - level = NUM_AUTH_LEVELS; - -- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) -+ if (ctx->libctx) -+ libctx = ctx->libctx; -+ else if (cert->libctx) -+ libctx = cert->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) - return 0; - -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ctx->param->auth_level < 2) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - return secbits >= minbits_table[level - 1]; - } -Index: openssl-3.1.4/doc/man5/config.pod -=================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod -@@ -317,6 +317,13 @@ this option is set to B. Because TL - pseudorandom function (PRF) to derive key material, disabling - B requires the use of TLS 1.2 or newer. - -+Note that enabling B will allow TLS signature -+algorithms that use SHA1 in security level 1, despite the definition of -+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. -+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on -+Fedora without requiring to set the security level to 0, which would include -+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. -+ - This is a downstream specific option, and normally it should be set up via crypto-policies. - - =item B (deprecated) -Index: openssl-3.1.4/ssl/t1_lib.c -=================================================================== ---- openssl-3.1.4.orig/ssl/t1_lib.c -+++ openssl-3.1.4/ssl/t1_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include -+#include "crypto/x509.h" - #include "internal/sslconf.h" - #include "internal/nelem.h" - #include "internal/sizes.h" -@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); - return 0; - } -- /* -- * Make sure security callback allows algorithm. For historical -- * reasons we have to pass the sigalg as a two byte char array. -- */ -- sigalgstr[0] = (sig >> 8) & 0xff; -- sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(s->ctx, lu); -- if (secbits == 0 || -- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -- md != NULL ? EVP_MD_get_type(md) : NID_undef, -- (void *)sigalgstr)) { -- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -- return 0; -+ -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ } else { -+ /* -+ * Make sure security callback allows algorithm. For historical -+ * reasons we have to pass the sigalg as a two byte char array. -+ */ -+ sigalgstr[0] = (sig >> 8) & 0xff; -+ sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->ctx, lu); -+ if (secbits == 0 || -+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, -+ md != NULL ? EVP_MD_get_type(md) : NID_undef, -+ (void *)sigalgstr)) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); -+ return 0; -+ } - } - /* Store the sigalg the peer uses */ - s->s3.tmp.peer_sigalg = lu; -@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS - } - } - -+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 2) { -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ } -+ - /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(s->ctx, lu); - sigalgstr[0] = (lu->sigalg >> 8) & 0xff; -@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s, - { - /* Lookup signature algorithm digest */ - int secbits, nid, pknid; -+ OSSL_LIB_CTX *libctx = NULL; -+ - /* Don't check signature if self signed */ - if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) - return 1; -@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s, - /* If digest NID not defined use signature NID */ - if (nid == NID_undef) - nid = pknid; -+ -+ if (x && x->libctx) -+ libctx = x->libctx; -+ else if (ctx && ctx->libctx) -+ libctx = ctx->libctx; -+ else if (s && s->ctx && s->ctx->libctx) -+ libctx = s->ctx->libctx; -+ else -+ libctx = OSSL_LIB_CTX_get0_global_default(); -+ -+ if ((nid == NID_sha1 || nid == NID_md5_sha1) -+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(s) < 2) -+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) -+ )) -+ /* When rh-allow-sha1-signatures = yes and security level <= 1, -+ * explicitly allow SHA1 for backwards compatibility. Also allow -+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ -+ return 1; -+ - if (s) - return ssl_security(s, op, secbits, nid, x); - else -Index: openssl-3.1.4/test/recipes/25-test_verify.t -=================================================================== ---- openssl-3.1.4.orig/test/recipes/25-test_verify.t -+++ openssl-3.1.4/test/recipes/25-test_verify.t -@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), - "CA with PSS signature using SHA256"); - --ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), -- "Reject PSS signature using SHA1 and auth level 1"); -+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), -+ "Reject PSS signature using SHA1 and auth level 2"); - - ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), - "PSS signature using SHA256 and auth level 2"); diff --git a/openssl-Allow-disabling-of-SHA1-signatures.patch b/openssl-Allow-disabling-of-SHA1-signatures.patch index 6a995e6..b6e93f8 100644 --- a/openssl-Allow-disabling-of-SHA1-signatures.patch +++ b/openssl-Allow-disabling-of-SHA1-signatures.patch @@ -26,11 +26,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd util/libcrypto.num | 2 + 15 files changed, 209 insertions(+), 9 deletions(-) -Index: openssl-3.1.4/crypto/context.c +Index: openssl-3.2.3/crypto/context.c =================================================================== ---- openssl-3.1.4.orig/crypto/context.c -+++ openssl-3.1.4/crypto/context.c -@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st { +--- openssl-3.2.3.orig/crypto/context.c ++++ openssl-3.2.3/crypto/context.c +@@ -82,6 +82,8 @@ struct ossl_lib_ctx_st { void *fips_prov; #endif @@ -39,7 +39,7 @@ Index: openssl-3.1.4/crypto/context.c unsigned int ischild:1; }; -@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ct +@@ -222,6 +224,10 @@ static int context_init(OSSL_LIB_CTX *ct goto err; #endif @@ -50,7 +50,7 @@ Index: openssl-3.1.4/crypto/context.c /* Low priority. */ #ifndef FIPS_MODULE ctx->child_provider = ossl_child_prov_ctx_new(ctx); -@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB +@@ -365,6 +371,11 @@ static void context_deinit_objs(OSSL_LIB } #endif @@ -62,7 +62,7 @@ Index: openssl-3.1.4/crypto/context.c /* Low priority. */ #ifndef FIPS_MODULE if (ctx->child_provider != NULL) { -@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX +@@ -662,6 +673,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX return ctx->fips_prov; #endif @@ -72,10 +72,10 @@ Index: openssl-3.1.4/crypto/context.c default: return NULL; } -Index: openssl-3.1.4/crypto/evp/evp_cnf.c +Index: openssl-3.2.3/crypto/evp/evp_cnf.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/evp_cnf.c -+++ openssl-3.1.4/crypto/evp/evp_cnf.c +--- openssl-3.2.3.orig/crypto/evp/evp_cnf.c ++++ openssl-3.2.3/crypto/evp/evp_cnf.c @@ -10,6 +10,7 @@ #include #include @@ -103,10 +103,10 @@ Index: openssl-3.1.4/crypto/evp/evp_cnf.c } else { ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); -Index: openssl-3.1.4/crypto/evp/m_sigver.c +Index: openssl-3.2.3/crypto/evp/m_sigver.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/m_sigver.c -+++ openssl-3.1.4/crypto/evp/m_sigver.c +--- openssl-3.2.3.orig/crypto/evp/m_sigver.c ++++ openssl-3.2.3/crypto/evp/m_sigver.c @@ -15,6 +15,69 @@ #include "internal/provider.h" #include "internal/numbers.h" /* includes SIZE_MAX */ @@ -177,7 +177,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c #ifndef FIPS_MODULE -@@ -251,6 +314,18 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -253,6 +316,18 @@ static int do_sigver_init(EVP_MD_CTX *ct } } @@ -196,10 +196,10 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c if (ver) { if (signature->digest_verify_init == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -Index: openssl-3.1.4/crypto/evp/pmeth_lib.c +Index: openssl-3.2.3/crypto/evp/pmeth_lib.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/pmeth_lib.c -+++ openssl-3.1.4/crypto/evp/pmeth_lib.c +--- openssl-3.2.3.orig/crypto/evp/pmeth_lib.c ++++ openssl-3.2.3/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ #include "internal/ffc.h" #include "internal/numbers.h" @@ -208,7 +208,7 @@ Index: openssl-3.1.4/crypto/evp/pmeth_lib.c #include "evp_local.h" #ifndef FIPS_MODULE -@@ -959,6 +960,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_ +@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_ return -2; } @@ -229,10 +229,10 @@ Index: openssl-3.1.4/crypto/evp/pmeth_lib.c if (fallback) return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); -Index: openssl-3.1.4/doc/man5/config.pod +Index: openssl-3.2.3/doc/man5/config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod +--- openssl-3.2.3.orig/doc/man5/config.pod ++++ openssl-3.2.3/doc/man5/config.pod @@ -304,6 +304,21 @@ Within the algorithm properties section, The value may be anything that is acceptable as a property query string for EVP_set_default_properties(). @@ -255,35 +255,35 @@ Index: openssl-3.1.4/doc/man5/config.pod =item B (deprecated) The value is a boolean that can be B or B. If the value is -Index: openssl-3.1.4/include/crypto/context.h +Index: openssl-3.2.3/include/crypto/context.h =================================================================== ---- openssl-3.1.4.orig/include/crypto/context.h -+++ openssl-3.1.4/include/crypto/context.h -@@ -40,3 +40,6 @@ void ossl_rand_crng_ctx_free(void *); - void ossl_thread_event_ctx_free(void *); - void ossl_fips_prov_ossl_ctx_free(void *); - void ossl_release_default_drbg_ctx(void); +--- openssl-3.2.3.orig/include/crypto/context.h ++++ openssl-3.2.3/include/crypto/context.h +@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void) + #if defined(OPENSSL_THREADS) + void ossl_threads_ctx_free(void *); + #endif + +void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); +void ossl_ctx_legacy_digest_signatures_free(void *); -Index: openssl-3.1.4/include/internal/cryptlib.h +Index: openssl-3.2.3/include/internal/cryptlib.h =================================================================== ---- openssl-3.1.4.orig/include/internal/cryptlib.h -+++ openssl-3.1.4/include/internal/cryptlib.h -@@ -178,7 +178,8 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 - # define OSSL_LIB_CTX_BIO_CORE_INDEX 17 +--- openssl-3.2.3.orig/include/internal/cryptlib.h ++++ openssl-3.2.3/include/internal/cryptlib.h +@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st { # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 --# define OSSL_LIB_CTX_MAX_INDEXES 19 -+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19 -+# define OSSL_LIB_CTX_MAX_INDEXES 20 + # define OSSL_LIB_CTX_THREAD_INDEX 19 + # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 +-# define OSSL_LIB_CTX_MAX_INDEXES 20 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21 ++# define OSSL_LIB_CTX_MAX_INDEXES 21 OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); -Index: openssl-3.1.4/include/internal/sslconf.h +Index: openssl-3.2.3/include/internal/sslconf.h =================================================================== ---- openssl-3.1.4.orig/include/internal/sslconf.h -+++ openssl-3.1.4/include/internal/sslconf.h +--- openssl-3.2.3.orig/include/internal/sslconf.h ++++ openssl-3.2.3/include/internal/sslconf.h @@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, char **arg); @@ -293,10 +293,10 @@ Index: openssl-3.1.4/include/internal/sslconf.h +int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, + int loadconfig); #endif -Index: openssl-3.1.4/providers/common/securitycheck.c +Index: openssl-3.2.3/providers/common/securitycheck.c =================================================================== ---- openssl-3.1.4.orig/providers/common/securitycheck.c -+++ openssl-3.1.4/providers/common/securitycheck.c +--- openssl-3.2.3.orig/providers/common/securitycheck.c ++++ openssl-3.2.3/providers/common/securitycheck.c @@ -19,6 +19,7 @@ #include #include @@ -336,10 +336,10 @@ Index: openssl-3.1.4/providers/common/securitycheck.c + return 1; } -Index: openssl-3.1.4/providers/common/securitycheck_default.c +Index: openssl-3.2.3/providers/common/securitycheck_default.c =================================================================== ---- openssl-3.1.4.orig/providers/common/securitycheck_default.c -+++ openssl-3.1.4/providers/common/securitycheck_default.c +--- openssl-3.2.3.orig/providers/common/securitycheck_default.c ++++ openssl-3.2.3/providers/common/securitycheck_default.c @@ -15,6 +15,7 @@ #include #include "prov/securitycheck.h" @@ -373,11 +373,11 @@ Index: openssl-3.1.4/providers/common/securitycheck_default.c + mdnid = -1; return mdnid; } -Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/dsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/dsa_sig.c -@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct +--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c +@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct mdprops = ctx->propq; if (mdname != NULL) { @@ -398,11 +398,11 @@ Index: openssl-3.1.4/providers/implementations/signature/dsa_sig.c if (md == NULL || md_nid < 0) { if (md == NULL) -Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/ecdsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c -@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX +--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c +@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX "%s could not be fetched", mdname); return 0; } @@ -414,10 +414,10 @@ Index: openssl-3.1.4/providers/implementations/signature/ecdsa_sig.c md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, sha1_allowed); if (md_nid < 0) { -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c @@ -25,6 +25,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" @@ -434,7 +434,7 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct +@@ -317,10 +319,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); @@ -452,7 +452,7 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c if (md == NULL || md_nid <= 0 -@@ -1386,8 +1393,15 @@ static int rsa_set_ctx_params(void *vprs +@@ -1408,8 +1415,15 @@ static int rsa_set_ctx_params(void *vprs prsactx->pad_mode = pad_mode; if (prsactx->md == NULL && pmdname == NULL @@ -469,10 +469,10 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) -Index: openssl-3.1.4/ssl/t1_lib.c +Index: openssl-3.2.3/ssl/t1_lib.c =================================================================== ---- openssl-3.1.4.orig/ssl/t1_lib.c -+++ openssl-3.1.4/ssl/t1_lib.c +--- openssl-3.2.3.orig/ssl/t1_lib.c ++++ openssl-3.2.3/ssl/t1_lib.c @@ -20,6 +20,7 @@ #include #include @@ -481,21 +481,23 @@ Index: openssl-3.1.4/ssl/t1_lib.c #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -1172,11 +1173,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); +@@ -1508,6 +1509,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + uint16_t *tls12_sigalgs_list = NULL; EVP_PKEY *tmpkey = EVP_PKEY_new(); int ret = 0; + int ldsigs_allowed; - if (cache == NULL || tmpkey == NULL) + if (ctx == NULL) + goto err; +@@ -1523,6 +1525,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) goto err; ERR_set_mark(); + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + /* First fill cache and tls12_sigalgs list from legacy algorithm list */ for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - EVP_PKEY_CTX *pctx; -@@ -1196,6 +1199,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) +@@ -1544,6 +1547,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) cache[i].enabled = 0; continue; } @@ -507,13 +509,13 @@ Index: openssl-3.1.4/ssl/t1_lib.c if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { cache[i].enabled = 0; -Index: openssl-3.1.4/util/libcrypto.num +Index: openssl-3.2.3/util/libcrypto.num =================================================================== ---- openssl-3.1.4.orig/util/libcrypto.num -+++ openssl-3.1.4/util/libcrypto.num -@@ -5439,3 +5439,5 @@ X509_get_default_cert_uri - X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: - X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5537,3 +5537,5 @@ X509_STORE_CTX_set_current_reasons + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK + ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff --git a/openssl-CVE-2023-5678.patch b/openssl-CVE-2023-5678.patch deleted file mode 100644 index fc57f41..0000000 --- a/openssl-CVE-2023-5678.patch +++ /dev/null @@ -1,174 +0,0 @@ -From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) - -(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) ---- - crypto/dh/dh_check.c | 12 ++++++++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/dh/dh_key.c | 12 ++++++++++++ - crypto/err/openssl.txt | 1 + - include/crypto/dherr.h | 2 +- - include/openssl/dh.h | 6 +++--- - include/openssl/dherr.h | 3 ++- - 7 files changed, 33 insertions(+), 6 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7fd6b..e20eb62081c5e 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426cc9..f76ac0dd1463f 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241b9e..afc49f5cdc87d 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e51504b7abd5c..36de321b749be 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb887..519327f795742 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 6533260f20272..50e0cf54be8cb 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96f8c..074a70145f9f5 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/openssl-CVE-2023-6129.patch b/openssl-CVE-2023-6129.patch deleted file mode 100644 index 84cdec0..0000000 --- a/openssl-CVE-2023-6129.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Thu, 4 Jan 2024 10:25:50 +0100 -Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering - -Fixes CVE-2023-6129 - -The POLY1305 MAC (message authentication code) implementation in OpenSSL for -PowerPC CPUs saves the the contents of vector registers in different order -than they are restored. Thus the contents of some of these vector registers -is corrupted when returning to the caller. The vulnerable code is used only -on newer PowerPC processors supporting the PowerISA 2.07 instructions. - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/23200) - -(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f) ---- - crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++--------------- - 1 file changed, 21 insertions(+), 21 deletions(-) - -diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl -index 9f86134d923fb..2e601bb9c24be 100755 ---- a/crypto/poly1305/asm/poly1305-ppc.pl -+++ b/crypto/poly1305/asm/poly1305-ppc.pl -@@ -744,7 +744,7 @@ - my $LOCALS= 6*$SIZE_T; - my $VSXFRAME = $LOCALS + 6*$SIZE_T; - $VSXFRAME += 128; # local variables -- $VSXFRAME += 13*16; # v20-v31 offload -+ $VSXFRAME += 12*16; # v20-v31 offload - - my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; - -@@ -919,12 +919,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1153,12 +1153,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1899,26 +1899,26 @@ - mtspr 256,r12 # restore vrsave - lvx v20,r10,$sp - addi r10,r10,32 -- lvx v21,r10,$sp -- addi r10,r10,32 -- lvx v22,r11,$sp -+ lvx v21,r11,$sp - addi r11,r11,32 -- lvx v23,r10,$sp -+ lvx v22,r10,$sp - addi r10,r10,32 -- lvx v24,r11,$sp -+ lvx v23,r11,$sp - addi r11,r11,32 -- lvx v25,r10,$sp -+ lvx v24,r10,$sp - addi r10,r10,32 -- lvx v26,r11,$sp -+ lvx v25,r11,$sp - addi r11,r11,32 -- lvx v27,r10,$sp -+ lvx v26,r10,$sp - addi r10,r10,32 -- lvx v28,r11,$sp -+ lvx v27,r11,$sp - addi r11,r11,32 -- lvx v29,r10,$sp -+ lvx v28,r10,$sp - addi r10,r10,32 -- lvx v30,r11,$sp -- lvx v31,r10,$sp -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp - $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) - $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) - $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/openssl-CVE-2023-6237.patch b/openssl-CVE-2023-6237.patch deleted file mode 100644 index 17459be..0000000 --- a/openssl-CVE-2023-6237.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 22 Dec 2023 16:25:56 +0100 -Subject: [PATCH] Limit the execution time of RSA public key check - -Fixes CVE-2023-6237 - -If a large and incorrect RSA public key is checked with -EVP_PKEY_public_check() the computation could take very long time -due to no limit being applied to the RSA public key size and -unnecessarily high number of Miller-Rabin algorithm rounds -used for non-primality check of the modulus. - -Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) -will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. -Also the number of Miller-Rabin rounds was set to 5. - -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/23243) - -(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db) ---- - crypto/rsa/rsa_sp800_56b_check.c | 8 +++- - test/recipes/91-test_pkey_check.t | 2 +- - .../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++ - 3 files changed, 56 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem - -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b48770b..bcbdd24fb8199 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - return 0; - - nbits = BN_num_bits(rsa->n); -+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - #ifdef FIPS_MODULE - /* - * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) -@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - goto err; - } - -- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); -+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ -+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); - #ifdef FIPS_MODULE - if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { - #else -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index dc7cc64533af2..f8088df14d36c 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -70,7 +70,7 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - --my @negative_pubtests = (); -+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key - - push(@negative_pubtests, ( - "dsapub_noparam.der" -diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -new file mode 100644 -index 0000000000000..9a2eaedaf1b22 ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -@@ -0,0 +1,48 @@ -+-----BEGIN PUBLIC KEY----- -+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR -+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph -+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 -+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ -+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj -+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 -+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq -+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 -+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 -+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j -+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH -+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa -+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y -+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu -+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J -+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo -+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id -+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB -+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi -+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 -+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN -+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux -+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O -+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi -+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH -+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx -+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP -+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 -+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS -+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL -+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ -+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ -+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz -+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq -+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW -+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC -+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK -+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys -+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC -+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J -+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ -+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa -+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q -+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb -+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID -+AQAB -+-----END PUBLIC KEY----- diff --git a/openssl-CVE-2024-0727.patch b/openssl-CVE-2024-0727.patch deleted file mode 100644 index 8c7d24a..0000000 --- a/openssl-CVE-2024-0727.patch +++ /dev/null @@ -1,118 +0,0 @@ -From d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 19 Jan 2024 11:28:58 +0000 -Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL - -PKCS12 structures contain PKCS7 ContentInfo fields. These fields are -optional and can be NULL even if the "type" is a valid value. OpenSSL -was not properly accounting for this and a NULL dereference can occur -causing a crash. - -CVE-2024-0727 - -Reviewed-by: Tomas Mraz -Reviewed-by: Hugo Landau -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23362) ---- - crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ - crypto/pkcs12/p12_mutl.c | 5 +++++ - crypto/pkcs12/p12_npas.c | 5 +++-- - crypto/pkcs7/pk7_mime.c | 7 +++++-- - 4 files changed, 31 insertions(+), 4 deletions(-) - -diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c -index 6fd4184af5a52..80ce31b3bca66 100644 ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - p7s = ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - if (p7s != NULL) { -diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c -index 67a885a45f89e..68ff54d0e90ee 100644 ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (p12->mac->iter == NULL) -diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c -index 62230bc6187ff..1e5b5495991a4 100644 ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; -diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c -index 49a0da5f819c4..8228315eeaa3a 100644 ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) - int ctype_nid = OBJ_obj2nid(p7->type); - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - -- if (ctype_nid == NID_pkcs7_signed) -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; - diff --git a/openssl-CVE-2024-2511.patch b/openssl-CVE-2024-2511.patch deleted file mode 100644 index 0ffdd7f..0000000 --- a/openssl-CVE-2024-2511.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 +0000 -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) ---- - ssl/ssl_lib.c | 5 +++-- - ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index b5cc4af2f0302..e747b7f90aa71 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index bf84e792251b8..241cf43c46296 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index 5d59d53563ed8..8e493176f658e 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { diff --git a/openssl-CVE-2024-41996.patch b/openssl-CVE-2024-41996.patch deleted file mode 100644 index 81fc3e0..0000000 --- a/openssl-CVE-2024-41996.patch +++ /dev/null @@ -1,41 +0,0 @@ -From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 5 Aug 2024 17:54:14 +0200 -Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known - safe-prime groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The partial validation is fully sufficient to check the key validity. - -Thanks to Szilárd Pfeiffer for reporting the issue. - -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/25088) ---- - providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 82c3093b122c2..ebdce767102ee 100644 ---- a/providers/implementations/keymgmt/dh_kmgmt.c -+++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype) - if (pub_key == NULL) - return 0; - -- /* The partial test is only valid for named group's with q = (p - 1) / 2 */ -- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK -- && ossl_dh_is_named_safe_prime_group(dh)) -+ /* -+ * The partial test is only valid for named group's with q = (p - 1) / 2 -+ * but for that case it is also fully sufficient to check the key validity. -+ */ -+ if (ossl_dh_is_named_safe_prime_group(dh)) - return ossl_dh_check_pub_key_partial(dh, pub_key, &res); - - return DH_check_pub_key_ex(dh, pub_key); - diff --git a/openssl-CVE-2024-4603.patch b/openssl-CVE-2024-4603.patch deleted file mode 100644 index 23fa5d3..0000000 --- a/openssl-CVE-2024-4603.patch +++ /dev/null @@ -1,199 +0,0 @@ -From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 8 May 2024 15:23:45 +0200 -Subject: [PATCH] Check DSA parameters for excessive sizes before validating - -This avoids overly long computation of various validation -checks. - -Fixes CVE-2024-4603 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -Reviewed-by: Neil Horman -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/24346) - -(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) ---- - CHANGES.md | 17 ++++++ - crypto/dsa/dsa_check.c | 44 ++++++++++++-- - .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ - 3 files changed, 114 insertions(+), 4 deletions(-) - create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem - -Index: openssl-3.1.4/crypto/dsa/dsa_check.c -=================================================================== ---- openssl-3.1.4.orig/crypto/dsa/dsa_check.c -+++ openssl-3.1.4/crypto/dsa/dsa_check.c -@@ -19,8 +19,34 @@ - #include "dsa_local.h" - #include "crypto/dsa.h" - -+static int dsa_precheck_params(const DSA *dsa, int *ret) -+{ -+ if (dsa->params.p == NULL || dsa->params.q == NULL) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ return 1; -+} -+ - int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) - return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, - FFC_PARAM_TYPE_DSA, ret); -@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa - */ - int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) - && *ret == 0; - } -@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds - */ - int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) - && *ret == 0; - } -@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d - { - *ret = 0; - -- return (dsa->params.q != NULL -- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ -+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); - } - - /* -@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL; - -- if (dsa->params.p == NULL -- || dsa->params.g == NULL -+ if (!dsa_precheck_params(dsa, &ret)) -+ return 0; -+ -+ if (dsa->params.g == NULL - || dsa->priv_key == NULL - || dsa->pub_key == NULL) - return 0; -Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -=================================================================== ---- /dev/null -+++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -@@ -0,0 +1,57 @@ -+-----BEGIN DSA PARAMETERS----- -+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja -+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil -+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF -+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk -+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW -+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb -+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O -+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ -+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 -+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 -+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB -+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN -+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl -+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ -+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg -+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG -+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE -+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN -+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 -+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 -+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd -+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW -+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 -+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 -+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s -+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs -+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN -+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy -+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx -+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 -+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 -+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B -+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 -+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W -+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl -++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX -+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq -+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX -+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot -+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK -+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco -+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD -+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 -+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy -+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct -+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ -+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd -+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG -+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E -+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk -+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF -+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d -+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa -+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D -+vKuje86bePD6kD/LH3wmkA== -+-----END DSA PARAMETERS----- -Index: openssl-3.1.4/CHANGES.md -=================================================================== ---- openssl-3.1.4.orig/CHANGES.md -+++ openssl-3.1.4/CHANGES.md -@@ -22,6 +22,23 @@ OpenSSL Releases - OpenSSL 3.1 - ----------- - -+ * Fixed an issue where checking excessively long DSA keys or parameters may -+ be very slow. -+ -+ Applications that use the functions EVP_PKEY_param_check() or -+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may -+ experience long delays. Where the key or parameters that are being checked -+ have been obtained from an untrusted source this may lead to a Denial of -+ Service. -+ -+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS -+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error -+ reason. -+ -+ ([CVE-2024-4603]) -+ -+ *Tomáš Mráz* -+ - ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023] - - * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), diff --git a/openssl-CVE-2024-4741.patch b/openssl-CVE-2024-4741.patch deleted file mode 100644 index 2e87ae8..0000000 --- a/openssl-CVE-2024-4741.patch +++ /dev/null @@ -1,28 +0,0 @@ -@@ -, +, @@ ---- - ssl/record/methods/tls_common.c | 8 ++++++++ - 1 file changed, 8 insertions(+) ---- openssl-3.0.8/ssl/record/ssl3_buffer.c -+++ openssl-3.0.8/ssl/record/ssl3_buffer.c -@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s) - OPENSSL_cleanse(b->buf, b->len); - OPENSSL_free(b->buf); - b->buf = NULL; -+ s->rlayer.packet = NULL; -+ s->rlayer.packet_length = 0; - return 1; - } ---- openssl-3.0.8/ssl/record/rec_layer_s3.c -+++ openssl-3.0.8/ssl/record/rec_layer_s3.c -@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t - s->rlayer.packet_length = 0; - /* ... now we can act as if 'extend' was set */ - } -+ if (!ossl_assert(s->rlayer.packet != NULL)) { -+ /* does not happen */ -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return -1; -+ } - - len = s->rlayer.packet_length; - pkt = rb->buf + align; diff --git a/openssl-CVE-2024-5535.patch b/openssl-CVE-2024-5535.patch deleted file mode 100644 index b8ee00a..0000000 --- a/openssl-CVE-2024-5535.patch +++ /dev/null @@ -1,326 +0,0 @@ -From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 5493d9b9c7..f218dcf1db 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG --- -2.45.2 - -From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:18:27 +0100 -Subject: [PATCH] More correctly handle a selected_len of 0 when - processing NPN - -In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but -the selected_len is 0 we should fail. Previously this would fail with an -internal_error alert because calling OPENSSL_malloc(selected_len) will -return NULL when selected_len is 0. We make this error detection more -explicit and return a handshake failure alert. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/statem/extensions_clnt.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 842be0722b..a07dc62e9a 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - PACKET_data(pkt), - PACKET_remaining(pkt), - s->ctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); - return 0; - } --- -2.45.2 - -From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:46:38 +0100 -Subject: [PATCH] Clarify the SSL_select_next_proto() documentation - -We clarify the input preconditions and the expected behaviour in the event -of no overlap. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- - 1 file changed, 18 insertions(+), 8 deletions(-) - -diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -index 102e657851..a29557dd91 100644 ---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod -+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to - set the list of protocols available to be negotiated. The B must be in - protocol-list format, described below. The length of B is specified in --B. -+B. Setting B to 0 clears any existing list of ALPN -+protocols and no ALPN extension will be sent to the server. - - SSL_CTX_set_alpn_select_cb() sets the application callback B used by a - server to select which protocol to use for the incoming connection. When B -@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format - described below. The first item in the B, B list that - matches an item in the B, B list is selected, and returned - in B, B. The B value will point into either B or --B, so it should be copied immediately. If no match is found, the first --item in B, B is returned in B, B. This --function can also be used in the NPN callback. -+B, so it should be copied immediately. The client list must include at -+least one valid (nonempty) protocol entry in the list. -+ -+The SSL_select_next_proto() helper function can be useful from either the ALPN -+callback or the NPN callback (described below). If no match is found, the first -+item in B, B is returned in B, B and -+B is returned. This can be useful when implementating -+the NPN callback. In the ALPN case, the value returned in B and B -+must be ignored if B has been returned from -+SSL_select_next_proto(). - - SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a - client needs to select a protocol from the server's provided list, and a -@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). - The length of the protocol name must be written into B. The - server's advertised protocols are provided in B and B. The - callback can assume that B is syntactically valid. The client must --select a protocol. It is fatal to the connection if this callback returns --a value other than B. The B parameter is the pointer --set via SSL_CTX_set_next_proto_select_cb(). -+select a protocol (although it may be an empty, zero length protocol). It is -+fatal to the connection if this callback returns a value other than -+B or if the zero length protocol is selected. The B -+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). - - SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called - when a TLS server needs a list of supported protocols for Next Protocol -@@ -149,7 +158,8 @@ A match was found and is returned in B, B. - =item OPENSSL_NPN_NO_OVERLAP - - No match was found. The first item in B, B is returned in --B, B. -+B, B (or B and 0 in the case where the first entry in -+B is invalid). - - =back - --- -2.45.2 - -From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 10:41:55 +0100 -Subject: [PATCH] Correct return values for - tls_construct_stoc_next_proto_neg - -Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, -rather than EXT_RETURN_SENT. This actually makes no difference at all to -the current control flow since this return value is ignored in this case -anyway. But lets make it correct anyway. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/statem/extensions_srvr.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 4ea085e1a1..2da880450f 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3.npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - --- -2.45.2 - -From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 21 Jun 2024 11:51:54 +0100 -Subject: [PATCH] Add ALPN validation in the client - -The ALPN protocol selected by the server must be one that we originally -advertised. We should verify that it is. - -Follow on from CVE-2024-5535 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24718) ---- - ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index a07dc62e9a..b21ccf9273 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3.alpn_sent) { -@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3.alpn_selected); - s->s3.alpn_selected = OPENSSL_malloc(len); - if (s->s3.alpn_selected == NULL) { --- -2.45.2 - diff --git a/openssl-CVE-2024-6119.patch b/openssl-CVE-2024-6119.patch deleted file mode 100644 index f7aadcf..0000000 --- a/openssl-CVE-2024-6119.patch +++ /dev/null @@ -1,255 +0,0 @@ -commit 97ebe37033e8884f4cca5544a74376633c665e11 -Author: Viktor Dukhovni -Date: Wed Jun 19 21:04:11 2024 +1000 - - Avoid type errors in EAI-related name check logic. - - The incorrectly typed data is read only, used in a compare operation, so - neither remote code execution, nor memory content disclosure were possible. - However, applications performing certificate name checks were vulnerable to - denial of service. - - The GENERAL_TYPE data type is a union, and we must take care to access the - correct member, based on `gen->type`, not all the member fields have the same - structure, and a segfault is possible if the wrong member field is read. - - The code in question was lightly refactored with the intent to make it more - obviously correct. - - CVE-2024-6119 - - (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1) - -diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c -index 1a18174995..a09414c972 100644 ---- a/crypto/x509/v3_utl.c -+++ b/crypto/x509/v3_utl.c -@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, - ASN1_STRING *cstr; - - gen = sk_GENERAL_NAME_value(gens, i); -- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { -- if (OBJ_obj2nid(gen->d.otherName->type_id) == -- NID_id_on_SmtpUTF8Mailbox) { -- san_present = 1; -- -- /* -- * If it is not a UTF8String then that is unexpected and we -- * treat it as no match -- */ -- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { -- cstr = gen->d.otherName->value->value.utf8string; -- -- /* Positive on success, negative on error! */ -- if ((rv = do_check_string(cstr, 0, equal, flags, -- chk, chklen, peername)) != 0) -- break; -- } -- } else -+ switch (gen->type) { -+ default: -+ continue; -+ case GEN_OTHERNAME: -+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) { -+ default: - continue; -- } else { -- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) -+ case NID_id_on_SmtpUTF8Mailbox: -+ /*- -+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3 -+ * -+ * Due to name constraint compatibility reasons described -+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT -+ * be used unless the local-part of the email address -+ * contains non-ASCII characters. When the local-part is -+ * ASCII, rfc822Name subjectAltName MUST be used instead -+ * of SmtpUTF8Mailbox. This is compatible with legacy -+ * software that supports only rfc822Name (and not -+ * SmtpUTF8Mailbox). [...] -+ * -+ * SmtpUTF8Mailbox is encoded as UTF8String. -+ * -+ * If it is not a UTF8String then that is unexpected, and -+ * we ignore the invalid SAN (neither set san_present nor -+ * consider it a candidate for equality). This does mean -+ * that the subject CN may be considered, as would be the -+ * case when the malformed SmtpUtf8Mailbox SAN is instead -+ * simply absent. -+ * -+ * When CN-ID matching is not desirable, applications can -+ * choose to turn it off, doing so is at this time a best -+ * practice. -+ */ -+ if (check_type != GEN_EMAIL -+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING) -+ continue; -+ alt_type = 0; -+ cstr = gen->d.otherName->value->value.utf8string; -+ break; -+ } -+ break; -+ case GEN_EMAIL: -+ if (check_type != GEN_EMAIL) - continue; -- } -- san_present = 1; -- if (check_type == GEN_EMAIL) - cstr = gen->d.rfc822Name; -- else if (check_type == GEN_DNS) -+ break; -+ case GEN_DNS: -+ if (check_type != GEN_DNS) -+ continue; - cstr = gen->d.dNSName; -- else -+ break; -+ case GEN_IPADD: -+ if (check_type != GEN_IPADD) -+ continue; - cstr = gen->d.iPAddress; -+ break; -+ } -+ san_present = 1; - /* Positive on success, negative on error! */ - if ((rv = do_check_string(cstr, alt_type, equal, flags, - chk, chklen, peername)) != 0) -diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t -index 522982ddfb..e18735d89a 100644 ---- a/test/recipes/25-test_eai_data.t -+++ b/test/recipes/25-test_eai_data.t -@@ -21,16 +21,18 @@ setup("test_eai_data"); - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem - --plan tests => 12; -+plan tests => 16; - - require_ok(srctop_file('test','recipes','tconversion.pl')); - my $folder = "test/recipes/25-test_eai_data"; - - my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); - my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); -+my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); - - my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); - my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); -+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); - - my $out; - my $outcnt = 0; -@@ -56,10 +58,18 @@ SKIP: { - - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); - - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); - -+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. -+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+ - #Check that we get the expected failure return code - with({ exit_checker => sub { return shift == 2; } }, - sub { -diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem -new file mode 100644 -index 0000000000..e8a2c6f55d ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-cert.pem -@@ -0,0 +1,21 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 -+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU -+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+ -+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry -+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8 -+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx -+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT -+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9 -+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj -+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG -+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU -+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA -+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA -+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb -+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU -+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1 -+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9 -+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI -+oDQ9fKfUOAmUFth2/R/eGA== -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem -new file mode 100644 -index 0000000000..a74c96bf31 ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS -+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD -+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj -+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0 -+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK -+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS -+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj -+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7 -+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI -+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT -+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl -+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW -+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS -+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8 -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh -new file mode 100755 -index 0000000000..7a8dbc719f ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc.sh -@@ -0,0 +1,41 @@ -+#! /usr/bin/env bash -+ -+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and -+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS -+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should -+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` -+# should likewise lead to ASAN issues with email name checks. -+ -+rm -f root-key.pem root-cert.pem -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ -+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem -+ -+exts=$( -+ printf "%s\n%s\n%s\n%s = " \ -+ "subjectKeyIdentifier = hash" \ -+ "authorityKeyIdentifier = keyid" \ -+ "basicConstraints = CA:false" \ -+ "subjectAltName" -+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" -+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com" -+ printf "%s, " "email:joe@example.com" -+ printf "%s\n" "DNS:mx1.example.com" -+ printf "[kdc_princ_name]\n" -+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" -+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" -+ printf "[kdc_principal_seq]\n" -+ printf "name_type = EXP:0, INTEGER:1\n" -+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" -+ printf "[kdc_principal_components]\n" -+ printf "princ1 = GeneralString:krbtgt\n" -+ printf "princ2 = GeneralString:TEST.EXAMPLE\n" -+ ) -+ -+printf "%s\n" "$exts" -+ -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ -+ -subj "/CN=TEST.EXAMPLE" | -+ openssl x509 -req -out kdc-cert.pem \ -+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ -+ -set_serial 2 -days 36524 \ -+ -extfile <(printf "%s\n" "$exts") diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch deleted file mode 100644 index b8d8688..0000000 --- a/openssl-DEFAULT_SUSE_cipher.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c -=================================================================== ---- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c -+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c -@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - */ - ok = 1; - rule_p = rule_str; -- if (strncmp(rule_str, "DEFAULT", 7) == 0) { -+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { -+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, -+ &head, &tail, ca_list, c); -+ rule_p += 12; -+ if (*rule_p == ':') -+ rule_p++; -+ } -+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) { - ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), - &head, &tail, ca_list, c); - rule_p += 7; -Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t -=================================================================== ---- /dev/null -+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t -@@ -0,0 +1,23 @@ -+#! /usr/bin/env perl -+ -+use strict; -+use warnings; -+ -+use OpenSSL::Test qw/:DEFAULT/; -+use OpenSSL::Test::Utils; -+ -+setup("test_default_ciphersuites"); -+ -+plan tests => 6; -+ -+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); -+ -+foreach my $cipherlist (@cipher_suites) { -+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), -+ "openssl ciphers works with ciphersuite $cipherlist"); -+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), -+ "$cipherlist shouldn't contain MD5, DES or RC4\n"); -+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), -+ "$cipherlist should contain TLSv1.3 ciphers\n"); -+} -+ -Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in -=================================================================== ---- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in -+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in -@@ -189,6 +189,11 @@ extern "C" { - */ - # ifndef OPENSSL_NO_DEPRECATED_3_0 - # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" -+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ -+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ -+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ -+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ -+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" - /* - * This is the default set of TLSv1.3 ciphersuites - * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() diff --git a/openssl-Disable-default-provider-for-test-suite.patch b/openssl-Disable-default-provider-for-test-suite.patch deleted file mode 100644 index 719a289..0000000 --- a/openssl-Disable-default-provider-for-test-suite.patch +++ /dev/null @@ -1,19 +0,0 @@ -Index: openssl-3.1.4/apps/openssl.cnf -=================================================================== ---- openssl-3.1.4.orig/apps/openssl.cnf -+++ openssl-3.1.4/apps/openssl.cnf -@@ -70,11 +70,11 @@ engines = engine_section - # to side-channel attacks and as such have been deprecated. - - [provider_sect] --default = default_sect -+##default = default_sect - ##legacy = legacy_sect - --[default_sect] --activate = 1 -+##[default_sect] -+##activate = 1 - - ##[legacy_sect] - ##activate = 1 diff --git a/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch b/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch deleted file mode 100644 index 031bef4..0000000 --- a/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001 -From: "fangming.fang" -Date: Thu, 7 Dec 2023 06:17:51 +0000 -Subject: [PATCH] Enable BTI feature for md5 on aarch64 - -Fixes: #22959 ---- - crypto/md5/asm/md5-aarch64.pl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl -index 3200a0fa9bff0..5a8608069691d 100755 ---- a/crypto/md5/asm/md5-aarch64.pl -+++ b/crypto/md5/asm/md5-aarch64.pl -@@ -28,10 +28,13 @@ - *STDOUT=*OUT; - - $code .= <strength, - drbg->min_entropylen, drbg->max_entropylen, -@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d - reseed_required = 1; - } - if (drbg->parent != NULL -- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) -+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { -+#ifdef FIPS_MODULE -+ /* SUSE patches provide chain reseeding when necessary so just sync counters*/ -+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); -+#else - reseed_required = 1; -+#endif -+ } - - if (reseed_required || prediction_resistance) { - if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, -Index: openssl-3.1.4/crypto/rand/prov_seed.c -=================================================================== ---- openssl-3.1.4.orig/crypto/rand/prov_seed.c -+++ openssl-3.1.4/crypto/rand/prov_seed.c +--- openssl-3.2.3.orig/crypto/rand/prov_seed.c ++++ openssl-3.2.3/crypto/rand/prov_seed.c @@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused size_t entropy_available; RAND_POOL *pool; @@ -46,12 +16,33 @@ Index: openssl-3.1.4/crypto/rand/prov_seed.c + */ + pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); if (pool == NULL) { - ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB); return 0; -Index: openssl-3.1.4/providers/implementations/rands/crngt.c +Index: openssl-3.2.3/crypto/rand/rand_lib.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/crngt.c -+++ openssl-3.1.4/providers/implementations/rands/crngt.c +--- openssl-3.2.3.orig/crypto/rand/rand_lib.c ++++ openssl-3.2.3/crypto/rand/rand_lib.c +@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB + return ret; + } + +-#ifndef FIPS_MODULE +- if (dgbl->seed == NULL) { +- ERR_set_mark(); +- dgbl->seed = rand_new_seed(ctx); +- ERR_pop_to_mark(); +- } +-#endif +- +- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, ++ ret = dgbl->primary = rand_new_drbg(ctx, NULL, + PRIMARY_RESEED_INTERVAL, + PRIMARY_RESEED_TIME_INTERVAL, 1); + /* +Index: openssl-3.2.3/providers/implementations/rands/crngt.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/crngt.c ++++ openssl-3.2.3/providers/implementations/rands/crngt.c @@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG * to the nearest byte. If the entropy is of less than full quality, * the amount required should be scaled up appropriately here. @@ -65,10 +56,40 @@ Index: openssl-3.1.4/providers/implementations/rands/crngt.c if (bytes_needed < min_len) bytes_needed = min_len; if (bytes_needed > max_len) -Index: openssl-3.1.4/providers/implementations/rands/drbg_local.h +Index: openssl-3.2.3/providers/implementations/rands/drbg.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/drbg_local.h -+++ openssl-3.1.4/providers/implementations/rands/drbg_local.h +--- openssl-3.2.3.orig/providers/implementations/rands/drbg.c ++++ openssl-3.2.3/providers/implementations/rands/drbg.c +@@ -569,6 +569,9 @@ static int ossl_prov_drbg_reseed_unlocke + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -690,8 +693,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* SUSE patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, +Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/drbg_local.h ++++ openssl-3.2.3/providers/implementations/rands/drbg_local.h @@ -38,7 +38,7 @@ * * The value is in bytes. @@ -78,11 +99,11 @@ Index: openssl-3.1.4/providers/implementations/rands/drbg_local.h /* * Maximum input size for the DRBG (entropy, nonce, personalization string) -Index: openssl-3.1.4/providers/implementations/rands/seed_src.c +Index: openssl-3.2.3/providers/implementations/rands/seed_src.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/rands/seed_src.c -+++ openssl-3.1.4/providers/implementations/rands/seed_src.c -@@ -104,7 +104,14 @@ static int seed_src_generate(void *vseed +--- openssl-3.2.3.orig/providers/implementations/rands/seed_src.c ++++ openssl-3.2.3/providers/implementations/rands/seed_src.c +@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed return 0; } @@ -96,9 +117,9 @@ Index: openssl-3.1.4/providers/implementations/rands/seed_src.c + */ + pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); if (pool == NULL) { - ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); return 0; -@@ -184,7 +191,14 @@ static size_t seed_get_seed(void *vseed, +@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed, size_t i; RAND_POOL *pool; diff --git a/openssl-FIPS-140-3-keychecks.patch b/openssl-FIPS-140-3-keychecks.patch index ea7f344..9fc5232 100644 --- a/openssl-FIPS-140-3-keychecks.patch +++ b/openssl-FIPS-140-3-keychecks.patch @@ -1,23 +1,25 @@ -From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001 +From 4512f620199126e6b87433ef184f0450652ee28a Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 12:05:23 +0200 -Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch +Date: Thu, 4 Apr 2024 11:42:18 +0200 +Subject: [PATCH 19/50] 0044-FIPS-140-3-keychecks.patch Patch-name: 0044-FIPS-140-3-keychecks.patch Patch-id: 44 Patch-status: | # Extra public/private key checks required by FIPS-140-3 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- crypto/dh/dh_key.c | 26 ++++++++++ + crypto/rsa/rsa_gen.c | 3 ++ .../implementations/exchange/ecdh_exch.c | 19 ++++++++ providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- - 6 files changed, 162 insertions(+), 9 deletions(-) + 7 files changed, 165 insertions(+), 9 deletions(-) diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 4e9705beef..83773cceea 100644 +index 7132b9b68e..189bfc3e8b 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) @@ -30,7 +32,7 @@ index 4e9705beef..83773cceea 100644 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) +@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) return 0; } @@ -44,7 +46,7 @@ index 4e9705beef..83773cceea 100644 ctx = BN_CTX_new_ex(dh->libctx); if (ctx == NULL) goto err; -@@ -262,6 +272,9 @@ static int generate_key(DH *dh) +@@ -271,6 +281,9 @@ static int generate_key(DH *dh) #endif BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -54,7 +56,7 @@ index 4e9705beef..83773cceea 100644 if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -354,8 +367,21 @@ static int generate_key(DH *dh) +@@ -369,8 +382,21 @@ static int generate_key(DH *dh) if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) goto err; @@ -76,8 +78,22 @@ index 4e9705beef..83773cceea 100644 dh->dirty_cnt++; ok = 1; err: +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index 0cdbb3fde2..65ff9d2d47 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -464,6 +464,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* defined(FIPS_MODULE) */ + } + } + return ok; diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c -index 43caedb6df..73873f9758 100644 +index 5b8412aba1..1d98eba132 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, @@ -107,13 +123,13 @@ index 43caedb6df..73873f9758 100644 retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c -index a37cbbdba8..bca3f3c674 100644 +index 9390935394..1399be1751 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c -@@ -989,8 +989,17 @@ struct ec_gen_ctx { - int selection; - int ecdh_mode; +@@ -991,8 +991,17 @@ struct ec_gen_ctx { EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; +#ifdef FIPS_MODULE + void *ecdsa_sig_ctx; +#endif @@ -128,7 +144,7 @@ index a37cbbdba8..bca3f3c674 100644 static void *ec_gen_init(void *provctx, int selection, const OSSL_PARAM params[]) { -@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection, +@@ -1011,6 +1020,10 @@ static void *ec_gen_init(void *provctx, int selection, gctx = NULL; } } @@ -139,7 +155,7 @@ index a37cbbdba8..bca3f3c674 100644 return gctx; } -@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) +@@ -1291,6 +1304,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (gctx->ecdh_mode != -1) ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); @@ -151,8 +167,8 @@ index a37cbbdba8..bca3f3c674 100644 +#endif if (gctx->group_check != NULL) - ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); -@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1361,7 +1380,10 @@ static void ec_gen_cleanup(void *genctx) if (gctx == NULL) return; @@ -161,11 +177,11 @@ index a37cbbdba8..bca3f3c674 100644 + ecdsa_freectx(gctx->ecdsa_sig_ctx); + gctx->ecdsa_sig_ctx = NULL; +#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); EC_GROUP_free(gctx->gen_group); BN_free(gctx->p); - BN_free(gctx->a); diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c -index 3ba12c4889..ff49f8fcd8 100644 +index c24cb8da88..4462afa041 100644 --- a/providers/implementations/keymgmt/rsa_kmgmt.c +++ b/providers/implementations/keymgmt/rsa_kmgmt.c @@ -434,6 +434,7 @@ struct rsa_gen_ctx { @@ -222,10 +238,10 @@ index 3ba12c4889..ff49f8fcd8 100644 BN_clear_free(gctx->pub_exp); OPENSSL_free(gctx); diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d100..ebeb30e002 100644 +index fe65ed8dc6..f158105e71 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c -@@ -32,7 +32,7 @@ +@@ -33,7 +33,7 @@ #include "crypto/ec.h" #include "prov/der_ec.h" @@ -234,7 +250,7 @@ index 865d49d100..ebeb30e002 100644 static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; static OSSL_FUNC_signature_sign_fn ecdsa_sign; -@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; +@@ -44,7 +44,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; @@ -243,8 +259,8 @@ index 865d49d100..ebeb30e002 100644 static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; -@@ -104,7 +104,7 @@ typedef struct { - #endif +@@ -107,7 +107,7 @@ typedef struct { + unsigned int nonce_type; } PROV_ECDSA_CTX; -static void *ecdsa_newctx(void *provctx, const char *propq) @@ -252,7 +268,7 @@ index 865d49d100..ebeb30e002 100644 { PROV_ECDSA_CTX *ctx; -@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, +@@ -380,7 +380,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); } @@ -261,7 +277,7 @@ index 865d49d100..ebeb30e002 100644 { PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; -@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) +@@ -601,6 +601,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) return EVP_MD_settable_ctx_params(ctx->md); } @@ -298,7 +314,7 @@ index 865d49d100..ebeb30e002 100644 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index cd5de6bd51..d4261e8f7d 100644 +index 76db37dd02..22d93ead53 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -34,7 +34,7 @@ @@ -328,7 +344,7 @@ index cd5de6bd51..d4261e8f7d 100644 { PROV_RSA_CTX *prsactx = NULL; char *propq_copy = NULL; -@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, +@@ -974,7 +974,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); } @@ -337,7 +353,7 @@ index cd5de6bd51..d4261e8f7d 100644 { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) +@@ -1451,6 +1451,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) return EVP_MD_settable_ctx_params(prsactx->md); } @@ -384,5 +400,5 @@ index cd5de6bd51..d4261e8f7d 100644 { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, -- -2.41.0 +2.44.0 diff --git a/openssl-FIPS-140-3-zeroization.patch b/openssl-FIPS-140-3-zeroization.patch index 5e9d9b4..54fc9ad 100644 --- a/openssl-FIPS-140-3-zeroization.patch +++ b/openssl-FIPS-140-3-zeroization.patch @@ -1,68 +1,8 @@ -Index: openssl-3.1.4/crypto/ffc/ffc_params.c +Index: openssl-3.2.3/crypto/ec/ec_lib.c =================================================================== ---- openssl-3.1.4.orig/crypto/ffc/ffc_params.c -+++ openssl-3.1.4/crypto/ffc/ffc_params.c -@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa - - void ossl_ffc_params_cleanup(FFC_PARAMS *params) - { -- BN_free(params->p); -- BN_free(params->q); -- BN_free(params->g); -- BN_free(params->j); -+ BN_clear_free(params->p); -+ BN_clear_free(params->q); -+ BN_clear_free(params->g); -+ BN_clear_free(params->j); - OPENSSL_free(params->seed); - ossl_ffc_params_init(params); - } -Index: openssl-3.1.4/crypto/rsa/rsa_lib.c -=================================================================== ---- openssl-3.1.4.orig/crypto/rsa/rsa_lib.c -+++ openssl-3.1.4/crypto/rsa/rsa_lib.c -@@ -155,8 +155,8 @@ void RSA_free(RSA *r) - - CRYPTO_THREAD_lock_free(r->lock); - -- BN_free(r->n); -- BN_free(r->e); -+ BN_clear_free(r->n); -+ BN_clear_free(r->e); - BN_clear_free(r->d); - BN_clear_free(r->p); - BN_clear_free(r->q); -Index: openssl-3.1.4/providers/implementations/kdfs/hkdf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/hkdf.c -+++ openssl-3.1.4/providers/implementations/kdfs/hkdf.c -@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx) - void *provctx = ctx->provctx; - - ossl_prov_digest_reset(&ctx->digest); -- OPENSSL_free(ctx->salt); -+ OPENSSL_clear_free(ctx->salt, ctx->salt_len); - OPENSSL_free(ctx->prefix); - OPENSSL_free(ctx->label); - OPENSSL_clear_free(ctx->data, ctx->data_len); -Index: openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/pbkdf2.c -+++ openssl-3.1.4/providers/implementations/kdfs/pbkdf2.c -@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provct - static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) - { - ossl_prov_digest_reset(&ctx->digest); -- OPENSSL_free(ctx->salt); -+ OPENSSL_clear_free(ctx->salt, ctx->salt_len); - OPENSSL_clear_free(ctx->pass, ctx->pass_len); - memset(ctx, 0, sizeof(*ctx)); - } -Index: openssl-3.1.4/crypto/ec/ec_lib.c -=================================================================== ---- openssl-3.1.4.orig/crypto/ec/ec_lib.c -+++ openssl-3.1.4/crypto/ec/ec_lib.c -@@ -752,12 +752,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g +--- openssl-3.2.3.orig/crypto/ec/ec_lib.c ++++ openssl-3.2.3/crypto/ec/ec_lib.c +@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g void EC_POINT_free(EC_POINT *point) { @@ -79,3 +19,63 @@ Index: openssl-3.1.4/crypto/ec/ec_lib.c } void EC_POINT_clear_free(EC_POINT *point) +Index: openssl-3.2.3/crypto/ffc/ffc_params.c +=================================================================== +--- openssl-3.2.3.orig/crypto/ffc/ffc_params.c ++++ openssl-3.2.3/crypto/ffc/ffc_params.c +@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa + + void ossl_ffc_params_cleanup(FFC_PARAMS *params) + { +- BN_free(params->p); +- BN_free(params->q); +- BN_free(params->g); +- BN_free(params->j); ++ BN_clear_free(params->p); ++ BN_clear_free(params->q); ++ BN_clear_free(params->g); ++ BN_clear_free(params->j); + OPENSSL_free(params->seed); + ossl_ffc_params_init(params); + } +Index: openssl-3.2.3/crypto/rsa/rsa_lib.c +=================================================================== +--- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c ++++ openssl-3.2.3/crypto/rsa/rsa_lib.c +@@ -159,8 +159,8 @@ void RSA_free(RSA *r) + CRYPTO_THREAD_lock_free(r->lock); + CRYPTO_FREE_REF(&r->references); + +- BN_free(r->n); +- BN_free(r->e); ++ BN_clear_free(r->n); ++ BN_clear_free(r->e); + BN_clear_free(r->d); + BN_clear_free(r->p); + BN_clear_free(r->q); +Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c ++++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c +@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_free(ctx->prefix); + OPENSSL_free(ctx->label); + OPENSSL_clear_free(ctx->data, ctx->data_len); +Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c ++++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct + static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) + { + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_clear_free(ctx->pass, ctx->pass_len); + memset(ctx, 0, sizeof(*ctx)); + } diff --git a/openssl-FIPS-Add-explicit-indicator-for-key-length.patch b/openssl-FIPS-Add-explicit-indicator-for-key-length.patch index bfbe885..3a40b60 100644 --- a/openssl-FIPS-Add-explicit-indicator-for-key-length.patch +++ b/openssl-FIPS-Add-explicit-indicator-for-key-length.patch @@ -20,11 +20,11 @@ Signed-off-by: Clemens Lang providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ 4 files changed, 28 insertions(+) -Index: openssl-3.1.4/include/crypto/evp.h +Index: openssl-3.2.3/include/crypto/evp.h =================================================================== ---- openssl-3.1.4.orig/include/crypto/evp.h -+++ openssl-3.1.4/include/crypto/evp.h -@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m +--- openssl-3.2.3.orig/include/crypto/evp.h ++++ openssl-3.2.3/include/crypto/evp.h +@@ -206,6 +206,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); @@ -38,11 +38,11 @@ Index: openssl-3.1.4/include/crypto/evp.h struct evp_mac_st { OSSL_PROVIDER *prov; int name_id; -Index: openssl-3.1.4/include/openssl/evp.h +Index: openssl-3.2.3/include/openssl/evp.h =================================================================== ---- openssl-3.1.4.orig/include/openssl/evp.h -+++ openssl-3.1.4/include/openssl/evp.h -@@ -1196,6 +1196,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -1199,6 +1199,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX void *arg); /* MAC stuff */ @@ -52,20 +52,20 @@ Index: openssl-3.1.4/include/openssl/evp.h EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, const char *properties); -Index: openssl-3.1.4/providers/implementations/macs/hmac_prov.c +Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/macs/hmac_prov.c -+++ openssl-3.1.4/providers/implementations/macs/hmac_prov.c -@@ -21,6 +21,8 @@ - #include - #include +--- openssl-3.2.3.orig/providers/implementations/macs/hmac_prov.c ++++ openssl-3.2.3/providers/implementations/macs/hmac_prov.c +@@ -23,6 +23,8 @@ + + #include "internal/ssl3_cbc.h" +#include "crypto/evp.h" + #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/provider_util.h" -@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, uns +@@ -235,6 +237,9 @@ static int hmac_final(void *vmacctx, uns static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), @@ -75,7 +75,7 @@ Index: openssl-3.1.4/providers/implementations/macs/hmac_prov.c OSSL_PARAM_END }; static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, -@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vma +@@ -256,6 +261,18 @@ static int hmac_get_ctx_params(void *vma && !OSSL_PARAM_set_int(p, hmac_block_size(macctx))) return 0; @@ -94,15 +94,15 @@ Index: openssl-3.1.4/providers/implementations/macs/hmac_prov.c return 1; } -Index: openssl-3.1.4/include/openssl/core_names.h +Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm =================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -175,6 +175,7 @@ extern "C" { - #define OSSL_MAC_PARAM_SIZE "size" /* size_t */ - #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */ - #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */ -+#define OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" /* size_t */ +--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm ++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +@@ -143,6 +143,7 @@ my %params = ( + 'MAC_PARAM_SIZE' => "size", # size_t + 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t + 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", # size_t - /* Known MAC names */ - #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" + # KDF / PRF parameters + 'KDF_PARAM_SECRET' => "secret", # octet string diff --git a/openssl-FIPS-RSA-disable-shake.patch b/openssl-FIPS-RSA-disable-shake.patch index df3a710..226f786 100644 --- a/openssl-FIPS-RSA-disable-shake.patch +++ b/openssl-FIPS-RSA-disable-shake.patch @@ -10,11 +10,11 @@ Patch-id: 85 crypto/rsa/rsa_pss.c | 16 ++++++++++++++++ 2 files changed, 44 insertions(+) -diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index b2f7f7dc4b..af2b0b026c 100644 ---- a/crypto/rsa/rsa_oaep.c -+++ b/crypto/rsa/rsa_oaep.c -@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, +Index: openssl-3.1.7/crypto/rsa/rsa_oaep.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_oaep.c ++++ openssl-3.1.7/crypto/rsa/rsa_oaep.c +@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1 return 0; #endif } @@ -38,7 +38,7 @@ index b2f7f7dc4b..af2b0b026c 100644 mdlen = EVP_MD_get_size(md); if (mdlen <= 0) { ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); -@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, +@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un #endif } @@ -61,12 +61,12 @@ index b2f7f7dc4b..af2b0b026c 100644 + mdlen = EVP_MD_get_size(md); - if (tlen <= 0 || flen <= 0) -diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c -index bb46ec64c7..c0fdf232da 100644 ---- a/crypto/rsa/rsa_pss.c -+++ b/crypto/rsa/rsa_pss.c -@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, + if (tlen <= 0 || flen <= 0 || mdlen <= 0) +Index: openssl-3.1.7/crypto/rsa/rsa_pss.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_pss.c ++++ openssl-3.1.7/crypto/rsa/rsa_pss.c +@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -81,7 +81,7 @@ index bb46ec64c7..c0fdf232da 100644 hLen = EVP_MD_get_size(Hash); if (hLen < 0) goto err; -@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, +@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA * if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -96,6 +96,3 @@ index bb46ec64c7..c0fdf232da 100644 hLen = EVP_MD_get_size(Hash); if (hLen < 0) goto err; --- -2.41.0 - diff --git a/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch b/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch index 69a1f6c..bb1888d 100644 --- a/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch +++ b/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch @@ -1,36 +1,21 @@ -From 4de5fa26873297f5c2eeed53e5c988437f837f55 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 13:53:31 +0100 -Subject: [PATCH] signature: Remove X9.31 padding from FIPS prov +From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:43:57 +0200 +Subject: [PATCH 37/48] + 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch -The current draft of FIPS 186-5 [1] no longer contains specifications -for X9.31 signature padding. Instead, it contains the following -information in Appendix E: - -> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from -> this standard. - -Since this situation is unlikely to change in future revisions of the -draft, and future FIPS 140-3 validations of the provider will require -X9.31 to be disabled or marked as not approved with an explicit -indicator, disallow this padding mode now. - -Remove the X9.31 tests from the acvp test, since they will always fail -now. - - [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf - -Signed-off-by: Clemens Lang +Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +Patch-id: 81 --- providers/implementations/signature/rsa_sig.c | 6 + test/acvp_test.inc | 214 ------------------ 2 files changed, 6 insertions(+), 214 deletions(-) -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -1250,7 +1250,13 @@ static int rsa_set_ctx_params(void *vprs +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -1291,7 +1291,13 @@ static int rsa_set_ctx_params(void *vprs err_extra_text = "No padding not allowed with RSA-PSS"; goto cont; case RSA_X931_PADDING: @@ -44,10 +29,10 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c cont: if (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) -Index: openssl-3.1.4/test/acvp_test.inc +Index: openssl-3.2.3/test/acvp_test.inc =================================================================== ---- openssl-3.1.4.orig/test/acvp_test.inc -+++ openssl-3.1.4/test/acvp_test.inc +--- openssl-3.2.3.orig/test/acvp_test.inc ++++ openssl-3.2.3/test/acvp_test.inc @@ -1214,13 +1214,6 @@ static const struct rsa_siggen_st rsa_si NO_PSS_SALT_LEN, }, @@ -265,24 +250,13 @@ Index: openssl-3.1.4/test/acvp_test.inc static const struct rsa_sigver_st rsa_sigver_data[] = { { "pkcs1", /* pkcs1v1.5 */ -@@ -1850,28 +1647,6 @@ static const struct rsa_sigver_st rsa_si +@@ -1850,17 +1647,6 @@ static const struct rsa_sigver_st rsa_si NO_PSS_SALT_LEN, FAIL }, - { - "x931", - 3072, -- "SHA1", -- ITM(rsa_sigverx931_0_msg), -- ITM(rsa_sigverx931_0_n), -- ITM(rsa_sigverx931_0_e), -- ITM(rsa_sigverx931_0_sig), -- NO_PSS_SALT_LEN, -- PASS -- }, -- { -- "x931", -- 3072, - "SHA256", - ITM(rsa_sigverx931_1_msg), - ITM(rsa_sigverx931_1_n), diff --git a/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch index e466173..1a756d1 100644 --- a/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +++ b/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -1,22 +1,22 @@ -From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001 +From 62721a92ebec8746888d94bea0082c8d8763219e Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 29/35] +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 27/49] 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Patch-id: 73 Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- crypto/rsa/rsa_local.h | 8 ++ crypto/rsa/rsa_oaep.c | 34 ++++++-- - include/openssl/core_names.h | 3 + providers/fips/self_test_data.inc | 79 ++++++++++--------- providers/fips/self_test_kats.c | 7 ++ .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- - 6 files changed, 128 insertions(+), 44 deletions(-) + util/perl/OpenSSL/paramnames.pm | 1 + + 6 files changed, 126 insertions(+), 44 deletions(-) diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index ea70da05ad..dde57a1a0e 100644 @@ -36,7 +36,7 @@ index ea70da05ad..dde57a1a0e 100644 + #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index d9be1a4f98..b2f7f7dc4b 100644 +index b9030440c4..3d665c3860 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, @@ -75,14 +75,14 @@ index d9be1a4f98..b2f7f7dc4b 100644 memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); /* step 3d: generate random byte string */ +#ifdef FIPS_MODULE -+ if (suse_st_seed != NULL && SUSE_FIPS_asym_cipher_st) { ++ if (suse_st_seed != NULL && SUSE_FIPS_asym_cipher_st) { + memcpy(seed, suse_st_seed, mdlen); + } else +#endif if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) goto err; -@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, return rv; } @@ -101,22 +101,8 @@ index d9be1a4f98..b2f7f7dc4b 100644 int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *from, int flen, const unsigned char *param, int plen, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 5e3c132f5b..c0cce14297 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -471,6 +471,9 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#ifdef FIPS_MODULE -+#define OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED "suse-kat-oaep-seed" -+#endif - - /* - * Encoder / decoder parameters diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index e0fdc0daa4..aa2012c04a 100644 +index 4b80bb70b9..c33ecd0791 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = { @@ -222,10 +208,10 @@ index e0fdc0daa4..aa2012c04a 100644 #ifndef OPENSSL_NO_EC diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c -index 74ee25dcb6..a9bc8be7fa 100644 +index f13c41abd6..4ea10670c0 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c -@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) +@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) return ret; } @@ -248,7 +234,7 @@ index 74ee25dcb6..a9bc8be7fa 100644 } diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 9cd8904131..40de5ce8fa 100644 +index d548560f1f..f3443b0c66 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c @@ -30,6 +30,9 @@ @@ -268,10 +254,10 @@ index 9cd8904131..40de5ce8fa 100644 +#ifdef FIPS_MODULE + char *suse_st_oaep_seed; +#endif /* FIPS_MODULE */ + /* PKCS#1 v1.5 decryption mode */ + unsigned int implicit_rejection; } PROV_RSA_CTX; - - static void *rsa_newctx(void *provctx) -@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, +@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, } } ret = @@ -295,7 +281,7 @@ index 9cd8904131..40de5ce8fa 100644 if (!ret) { OPENSSL_free(tbuf); -@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx) +@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx) EVP_MD_free(prsactx->oaep_md); EVP_MD_free(prsactx->mgf1_md); OPENSSL_free(prsactx->oaep_label); @@ -305,17 +291,17 @@ index 9cd8904131..40de5ce8fa 100644 OPENSSL_free(prsactx); } -@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { +@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { NULL, 0), OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), +#ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, NULL, 0), +#endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), OSSL_PARAM_END }; - -@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, +@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, return known_gettable_ctx_params; } @@ -326,7 +312,7 @@ index 9cd8904131..40de5ce8fa 100644 static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) +@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) prsactx->oaep_labellen = tmp_labellen; } @@ -345,6 +331,18 @@ index 9cd8904131..40de5ce8fa 100644 p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); if (p != NULL) { unsigned int client_version; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index c37ed7815f..70f7c50fe4 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -401,6 +401,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", ++ 'ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED' => "suse-kat-oaep-seed", + + # Encoder / decoder parameters + -- -2.41.0 +2.44.0 diff --git a/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch index f1b6ef7..4467399 100644 --- a/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ b/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -1,32 +1,25 @@ -From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 15 Jul 2022 17:45:40 +0200 -Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test +From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 28/49] + 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -In review for FIPS 140-3, the lack of a self-test for the digest_sign -and digest_verify provider functions was highlighted as a problem. NIST -no longer provides ACVP tests for the RSA SigVer primitive (see -https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 -recommends the use of functions that compute the digest and signature -within the module, we have been advised in our module review that the -self tests should also use the combined digest and signature APIs, i.e. -the digest_sign and digest_verify provider functions. - -Modify the signature self-test to use these instead by switching to -EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to -crypto/evp/m_sigver.c to make these functions usable in the FIPS module. - -Signed-off-by: Clemens Lang +Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +Patch-id: 74 +Patch-status: | + # [PATCH 29/46] + # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ - providers/fips/self_test_kats.c | 37 +++++++++++++++------------- - 2 files changed, 56 insertions(+), 24 deletions(-) + crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++----- + providers/fips/self_test_kats.c | 43 +++++++++++++++----------- + 2 files changed, 73 insertions(+), 24 deletions(-) -Index: openssl-3.1.4/crypto/evp/m_sigver.c +Index: openssl-3.2.3/crypto/evp/m_sigver.c =================================================================== ---- openssl-3.1.4.orig/crypto/evp/m_sigver.c -+++ openssl-3.1.4/crypto/evp/m_sigver.c -@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const +--- openssl-3.2.3.orig/crypto/evp/m_sigver.c ++++ openssl-3.2.3/crypto/evp/m_sigver.c +@@ -86,6 +86,7 @@ static int update(EVP_MD_CTX *ctx, const ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); return 0; } @@ -34,7 +27,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c /* * If we get the "NULL" md then the name comes back as "UNDEF". We want to use -@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -121,8 +122,10 @@ static int do_sigver_init(EVP_MD_CTX *ct reinit = 0; if (e == NULL) ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); @@ -45,7 +38,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c } if (ctx->pctx == NULL) return 0; -@@ -134,8 +137,10 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -132,8 +135,10 @@ static int do_sigver_init(EVP_MD_CTX *ct locpctx = ctx->pctx; ERR_set_mark(); @@ -56,7 +49,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c /* do not reinitialize if pkey is set or operation is different */ if (reinit -@@ -220,8 +225,10 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -218,8 +223,10 @@ static int do_sigver_init(EVP_MD_CTX *ct signature = evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, supported_sig, locpctx->propquery); @@ -67,7 +60,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c break; } if (signature == NULL) -@@ -305,6 +312,7 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -303,6 +310,7 @@ static int do_sigver_init(EVP_MD_CTX *ct ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); if (ctx->fetched_digest != NULL) { ctx->digest = ctx->reqdigest = ctx->fetched_digest; @@ -75,7 +68,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c } else { /* legacy engine support : remove the mark when this is deleted */ ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); -@@ -313,11 +321,13 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -311,11 +319,13 @@ static int do_sigver_init(EVP_MD_CTX *ct ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } @@ -89,7 +82,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c if (ctx->reqdigest != NULL && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) -@@ -329,6 +339,7 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -327,6 +337,7 @@ static int do_sigver_init(EVP_MD_CTX *ct goto err; } } @@ -97,7 +90,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c if (ver) { if (signature->digest_verify_init == NULL) { -@@ -361,6 +372,7 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -359,6 +370,7 @@ static int do_sigver_init(EVP_MD_CTX *ct EVP_KEYMGMT_free(tmp_keymgmt); return 0; @@ -105,7 +98,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c legacy: /* * If we don't have the full support we need with provided methods, -@@ -432,6 +444,7 @@ static int do_sigver_init(EVP_MD_CTX *ct +@@ -430,6 +442,7 @@ static int do_sigver_init(EVP_MD_CTX *ct ctx->pctx->flag_call_digest_custom = 1; ret = 1; @@ -113,7 +106,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c end: #ifndef FIPS_MODULE -@@ -474,7 +487,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx +@@ -472,7 +485,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, NULL); } @@ -121,7 +114,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) { -@@ -536,23 +548,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c +@@ -544,24 +556,30 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c return EVP_DigestUpdate(ctx, data, dsize); } @@ -130,14 +123,19 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c size_t *siglen) { - int sctx = 0, r = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; + int r = 0; +#ifndef FIPS_MODULE + int sctx = 0; -+ EVP_PKEY_CTX *dctx; ++ EVP_PKEY_CTX *dctx = NULL; +#endif /* !defined(FIPS_MODULE) */ + EVP_PKEY_CTX *pctx = ctx->pctx; + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + +#ifndef FIPS_MODULE if (pctx == NULL || pctx->operation != EVP_PKEY_OP_SIGNCTX @@ -146,26 +144,26 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c goto legacy; +#endif /* !defined(FIPS_MODULE) */ - if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, - sigret, siglen, - sigret == NULL ? 0 : *siglen); +#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -561,8 +579,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, - sigret, siglen, - *siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* defined(FIPS_MODULE) */ + if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -576,7 +594,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + else + EVP_PKEY_CTX_free(dctx); return r; ++#else ++ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, ++ sigret, siglen, ++ sigret == NULL ? 0 : *siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ +#ifndef FIPS_MODULE legacy: if (pctx == NULL || pctx->pmeth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -634,6 +654,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, +@@ -649,6 +674,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, } } return 1; @@ -173,7 +171,7 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c } int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, -@@ -664,21 +685,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi +@@ -687,23 +713,29 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen) { @@ -183,11 +181,16 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c + unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen = 0; int vctx = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; -+ EVP_PKEY_CTX *dctx; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx = NULL; +#endif /* !defined(FIPS_MODULE) */ + EVP_PKEY_CTX *pctx = ctx->pctx; + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + +#ifndef FIPS_MODULE if (pctx == NULL || pctx->operation != EVP_PKEY_OP_VERIFYCTX @@ -196,25 +199,25 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c goto legacy; +#endif /* !defined(FIPS_MODULE) */ - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, - sig, siglen); +#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -686,8 +713,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct - r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx, - sig, siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* !defined(FIPS_MODULE) */ + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -717,7 +749,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + else + EVP_PKEY_CTX_free(dctx); return r; ++#else ++ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, ++ sig, siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ +#ifndef FIPS_MODULE legacy: if (pctx == NULL || pctx->pmeth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -727,6 +756,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct +@@ -758,6 +796,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct if (vctx || !r) return r; return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); @@ -222,15 +225,15 @@ Index: openssl-3.1.4/crypto/evp/m_sigver.c } int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, -@@ -752,4 +782,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co +@@ -790,4 +829,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co return -1; return EVP_DigestVerifyFinal(ctx, sigret, siglen); } -#endif /* FIPS_MODULE */ -Index: openssl-3.1.4/providers/fips/self_test_kats.c +Index: openssl-3.2.3/providers/fips/self_test_kats.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/self_test_kats.c -+++ openssl-3.1.4/providers/fips/self_test_kats.c +--- openssl-3.2.3.orig/providers/fips/self_test_kats.c ++++ openssl-3.2.3/providers/fips/self_test_kats.c @@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S int ret = 0; OSSL_PARAM *params = NULL, *params_sig = NULL; diff --git a/openssl-FIPS-early-KATS.patch b/openssl-FIPS-early-KATS.patch index 6675fcf..c18bfc8 100644 --- a/openssl-FIPS-early-KATS.patch +++ b/openssl-FIPS-early-KATS.patch @@ -1,8 +1,22 @@ -Index: openssl-3.1.4/providers/fips/self_test.c +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +Index: openssl-3.2.3/providers/fips/self_test.c =================================================================== ---- openssl-3.1.4.orig/providers/fips/self_test.c -+++ openssl-3.1.4/providers/fips/self_test.c -@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +--- openssl-3.2.3.orig/providers/fips/self_test.c ++++ openssl-3.2.3/providers/fips/self_test.c +@@ -507,6 +507,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS if (ev == NULL) goto end; @@ -16,10 +30,10 @@ Index: openssl-3.1.4/providers/fips/self_test.c + } + } + - module_checksum = fips_hmac_container; - checksum_len = sizeof(fips_hmac_container); - -@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -575,18 +585,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS } } diff --git a/openssl-FIPS-embed-hmac.patch b/openssl-FIPS-embed-hmac.patch index 288361b..4ab0e3a 100644 --- a/openssl-FIPS-embed-hmac.patch +++ b/openssl-FIPS-embed-hmac.patch @@ -1,30 +1,32 @@ -From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001 +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Thu, 19 Oct 2023 13:12:40 +0200 -Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch Patch-name: 0033-FIPS-embed-hmac.patch Patch-id: 33 Patch-status: | # # Embed HMAC into the fips.so -From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- - test/fipsmodule.cnf | 2 + - test/recipes/00-prep_fipsmodule_cnf.t | 2 +- - test/recipes/01-test_fipsmodule_cnf.t | 2 +- - test/recipes/03-test_fipsinstall.t | 2 +- - test/recipes/30-test_defltfips.t | 2 +- - test/recipes/80-test_ssl_new.t | 2 +- - test/recipes/90-test_sslapi.t | 2 +- - 8 files changed, 71 insertions(+), 13 deletions(-) + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) create mode 100644 test/fipsmodule.cnf -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index b8dc9817b2..e3a629018a 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -230,11 +230,27 @@ err: +Index: openssl-3.2.3/providers/fips/self_test.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test.c ++++ openssl-3.2.3/providers/fips/self_test.c +@@ -230,11 +230,133 @@ err: return ok; } @@ -40,6 +42,7 @@ index b8dc9817b2..e3a629018a 100644 * the result matches the expected value. * Return 1 if verified, or 0 if it fails. */ ++ +#ifndef __USE_GNU +#define __USE_GNU +#include @@ -48,11 +51,116 @@ index b8dc9817b2..e3a629018a 100644 +#include +#endif +#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ unsigned char *expected, size_t expected_len, ++ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, ++ const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_cleanse(out, MAX_MD_SIZE); ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return ret; ++} + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, unsigned char *expected, size_t expected_len, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BI EVP_MAC *mac = NULL; EVP_MAC_CTX *ctx = NULL; OSSL_PARAM params[2], *p = params; @@ -76,7 +184,7 @@ index b8dc9817b2..e3a629018a 100644 mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); if (mac == NULL) goto err; -@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BI if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) goto err; @@ -84,12 +192,12 @@ index b8dc9817b2..e3a629018a 100644 - status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); + while ((off + INTEGRITY_BUF_SIZE) <= paddr) { + status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); -+ if (status != 1) -+ break; -+ if (!EVP_MAC_update(ctx, buf, bytes_read)) -+ goto err; -+ off += bytes_read; -+ } + if (status != 1) + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; ++ off += bytes_read; + } + + if (off + INTEGRITY_BUF_SIZE > paddr) { + int delta = paddr - off; @@ -98,7 +206,7 @@ index b8dc9817b2..e3a629018a 100644 + goto err; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; -+ off += bytes_read; ++ off += bytes_read; + + status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); + memset(buf, 0, HMAC_LEN); @@ -106,22 +214,22 @@ index b8dc9817b2..e3a629018a 100644 + goto err; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; -+ off += bytes_read; ++ off += bytes_read; + } + + while (bytes_read > 0) { + status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); - if (status != 1) - break; - if (!EVP_MAC_update(ctx, buf, bytes_read)) - goto err; -+ off += bytes_read; - } ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) goto err; -@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex +@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BI goto err; ret = 1; err: @@ -129,7 +237,7 @@ index b8dc9817b2..e3a629018a 100644 OSSL_SELF_TEST_onend(ev, ret); EVP_MAC_CTX_free(ctx); EVP_MAC_free(mac); -@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS return 0; } @@ -139,19 +247,57 @@ index b8dc9817b2..e3a629018a 100644 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); goto end; } -@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS if (ev == NULL) goto end; - module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, - &checksum_len); -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ } + if (module_checksum == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); goto end; -@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) +@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } +- ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } + /* This will be NULL during installation - so the self test KATS will run */ + if (st->indicator_data != NULL) { + /* +@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS end: EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); @@ -159,18 +305,17 @@ index b8dc9817b2..e3a629018a 100644 OPENSSL_free(indicator_checksum); if (st != NULL) { -diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf -new file mode 100644 -index 0000000000..f05d0dedbe +Index: openssl-3.2.3/test/fipsmodule.cnf +=================================================================== --- /dev/null -+++ b/test/fipsmodule.cnf ++++ openssl-3.2.3/test/fipsmodule.cnf @@ -0,0 +1,2 @@ +[fips_sect] +activate = 1 -diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t -index 4e3a6d85e8..e8255ba974 100644 ---- a/test/recipes/00-prep_fipsmodule_cnf.t -+++ b/test/recipes/00-prep_fipsmodule_cnf.t +Index: openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/00-prep_fipsmodule_cnf.t ++++ openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t @@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -180,10 +325,10 @@ index 4e3a6d85e8..e8255ba974 100644 plan skip_all => "FIPS module config file only supported in a fips build" if $no_check; -diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t -index ce594817d5..00cebacff8 100644 ---- a/test/recipes/01-test_fipsmodule_cnf.t -+++ b/test/recipes/01-test_fipsmodule_cnf.t +Index: openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/01-test_fipsmodule_cnf.t ++++ openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t @@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -193,10 +338,10 @@ index ce594817d5..00cebacff8 100644 plan skip_all => "Test only supported in a fips build" if $no_check; plan tests => 1; -diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t -index b8b136d110..8242f4ebc3 100644 ---- a/test/recipes/03-test_fipsinstall.t -+++ b/test/recipes/03-test_fipsinstall.t +Index: openssl-3.2.3/test/recipes/03-test_fipsinstall.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/03-test_fipsinstall.t ++++ openssl-3.2.3/test/recipes/03-test_fipsinstall.t @@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -206,10 +351,10 @@ index b8b136d110..8242f4ebc3 100644 # Compatible options for pedantic FIPS compliance my @pedantic_okay = -diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t -index c8f145405b..56a2ec5dc4 100644 ---- a/test/recipes/30-test_defltfips.t -+++ b/test/recipes/30-test_defltfips.t +Index: openssl-3.2.3/test/recipes/30-test_defltfips.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_defltfips.t ++++ openssl-3.2.3/test/recipes/30-test_defltfips.t @@ -24,7 +24,7 @@ use lib bldtop_dir('.'); plan skip_all => "Configuration loading is turned off" if disabled("autoload-config"); @@ -219,10 +364,10 @@ index c8f145405b..56a2ec5dc4 100644 plan tests => ($no_fips ? 1 : 5); -diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t -index 0c6d6402d9..e45f9cb560 100644 ---- a/test/recipes/80-test_ssl_new.t -+++ b/test/recipes/80-test_ssl_new.t +Index: openssl-3.2.3/test/recipes/80-test_ssl_new.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_new.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_new.t @@ -27,7 +27,7 @@ setup("test_ssl_new"); use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); @@ -232,19 +377,16 @@ index 0c6d6402d9..e45f9cb560 100644 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); -diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t -index 9e9e32b51e..1a1a7159b5 100644 ---- a/test/recipes/90-test_sslapi.t -+++ b/test/recipes/90-test_sslapi.t -@@ -17,7 +17,7 @@ setup("test_sslapi"); - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); +Index: openssl-3.2.3/test/recipes/90-test_sslapi.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/90-test_sslapi.t ++++ openssl-3.2.3/test/recipes/90-test_sslapi.t +@@ -14,7 +14,7 @@ BEGIN { + setup("test_sslapi"); + } -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); my $fipsmodcfg_filename = "fipsmodule.cnf"; my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); --- -2.41.0 - diff --git a/openssl-FIPS-enforce-EMS-support.patch b/openssl-FIPS-enforce-EMS-support.patch index a30e068..19475d6 100644 --- a/openssl-FIPS-enforce-EMS-support.patch +++ b/openssl-FIPS-enforce-EMS-support.patch @@ -22,31 +22,31 @@ Patch-status: | test/sslapitest.c | 2 +- 11 files changed, 76 insertions(+), 5 deletions(-) -Index: openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod -=================================================================== ---- openssl-3.1.4.orig/doc/man3/SSL_CONF_cmd.pod -+++ openssl-3.1.4/doc/man3/SSL_CONF_cmd.pod -@@ -524,6 +524,9 @@ B: use extended ma +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index ae6ca43282..b83c04a308 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -524,6 +524,9 @@ B: use extended master secret extension, enabled by default. Inverse of B: that is, B<-ExtendedMasterSecret> is the same as setting B. +B: allow establishing connections without EMS in FIPS mode. -+This is a downstream specific option, and normally it should be set up via crypto-policies. ++This is a downstream specific option, and normally it should be set up via crypto policies. + B: use CA names extension, enabled by default. Inverse of B: that is, B<-CANames> is the same as setting B. -Index: openssl-3.1.4/doc/man5/fips_config.pod -=================================================================== ---- openssl-3.1.4.orig/doc/man5/fips_config.pod -+++ openssl-3.1.4/doc/man5/fips_config.pod -@@ -15,6 +15,19 @@ See the documentation for more informati +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 1c15e32a5c..f2cedaf88d 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -15,6 +15,19 @@ for more information. This functionality was added in OpenSSL 3.0. -+SUSE Linux Enterprise uses a supplementary downstream config for FIPS module located -+in OpenSSL configuration directory and managed by crypto-policies. If present, it -+should have the following format: ++SUSE Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format + + [fips_sect] + tls1-prf-ems-check = 0 @@ -59,11 +59,11 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod + =head1 COPYRIGHT - Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. -Index: openssl-3.1.4/include/openssl/fips_names.h -=================================================================== ---- openssl-3.1.4.orig/include/openssl/fips_names.h -+++ openssl-3.1.4/include/openssl/fips_names.h + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h +index 5c77f6d691..8cdd5a6bf7 100644 +--- a/include/openssl/fips_names.h ++++ b/include/openssl/fips_names.h @@ -70,6 +70,14 @@ extern "C" { */ # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" @@ -79,23 +79,23 @@ Index: openssl-3.1.4/include/openssl/fips_names.h # ifdef __cplusplus } # endif -Index: openssl-3.1.4/include/openssl/ssl.h.in -=================================================================== ---- openssl-3.1.4.orig/include/openssl/ssl.h.in -+++ openssl-3.1.4/include/openssl/ssl.h.in -@@ -420,6 +420,7 @@ typedef int (*SSL_async_callback_fn)(SSL +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 0b6de603e2..26a69ca282 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); * interoperability with CryptoPro CSP 3.x */ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) +# define SSL_OP_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) - /* - * Option "collections." -Index: openssl-3.1.4/providers/fips/fipsprov.c -=================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L + * Disable RFC8879 certificate compression + * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 5ff9872bd8..eb9653a9df 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) if (fgbl == NULL) return NULL; init_fips_option(&fgbl->fips_security_checks, 1); @@ -104,11 +104,11 @@ Index: openssl-3.1.4/providers/fips/fipsprov.c init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); return fgbl; } -Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/kdfs/tls1_prf.c -+++ openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c -@@ -222,6 +222,27 @@ static int kdf_tls1_prf_derive(void *vct +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index 25a6c79a2e..79bc7a9719 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, } } @@ -136,11 +136,11 @@ Index: openssl-3.1.4/providers/implementations/kdfs/tls1_prf.c return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, ctx->sec, ctx->seclen, ctx->seed, ctx->seedlen, -Index: openssl-3.1.4/ssl/ssl_conf.c -=================================================================== ---- openssl-3.1.4.orig/ssl/ssl_conf.c -+++ openssl-3.1.4/ssl/ssl_conf.c -@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cct +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 5146cedb96..086db98c33 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL("ClientRenegotiation", SSL_OP_ALLOW_CLIENT_RENEGOTIATION), SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), @@ -148,10 +148,10 @@ Index: openssl-3.1.4/ssl/ssl_conf.c SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), -Index: openssl-3.1.4/ssl/statem/extensions_srvr.c -=================================================================== ---- openssl-3.1.4.orig/ssl/statem/extensions_srvr.c -+++ openssl-3.1.4/ssl/statem/extensions_srvr.c +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 00b1ee531e..22cdabb308 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c @@ -11,6 +11,7 @@ #include "../ssl_local.h" #include "statem_local.h" @@ -160,13 +160,13 @@ Index: openssl-3.1.4/ssl/statem/extensions_srvr.c #define COOKIE_STATE_FORMAT_VERSION 1 -@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s - EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + unsigned int context, X509 *x, size_t chainidx) { - if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) + if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { -+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_PERMIT_NOEMS_FIPS) ) { ++ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_PERMIT_NOEMS_FIPS) ) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); + return EXT_RETURN_FAIL; + } @@ -175,10 +175,10 @@ Index: openssl-3.1.4/ssl/statem/extensions_srvr.c if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) || !WPACKET_put_bytes_u16(pkt, 0)) { -Index: openssl-3.1.4/ssl/t1_enc.c -=================================================================== ---- openssl-3.1.4.orig/ssl/t1_enc.c -+++ openssl-3.1.4/ssl/t1_enc.c +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 91238e6457..e8ad8ecd9e 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c @@ -20,6 +20,7 @@ #include #include @@ -186,7 +186,7 @@ Index: openssl-3.1.4/ssl/t1_enc.c +#include /* seed1 through seed5 are concatenated */ - static int tls1_PRF(SSL *s, + static int tls1_PRF(SSL_CONNECTION *s, @@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, } @@ -198,17 +198,17 @@ Index: openssl-3.1.4/ssl/t1_enc.c + if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE + && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); -+ else ++ else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + } else ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); EVP_KDF_CTX_free(kctx); -Index: openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt -=================================================================== ---- openssl-3.1.4.orig/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt -+++ openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt -@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +index 44040ff66b..deb6bf3fcb 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf @@ -225,3 +225,18 @@ Index: openssl-3.1.4/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt FIPSversion = <=3.1.0 KDF = TLS1-PRF Ctrl.digest = digest:SHA256 +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 169e3c7466..e67b5bb44c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void) + STACK_OF(X509) *server_chain; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, +-- +2.41.0 diff --git a/openssl-FIPS-limit-rsa-encrypt.patch b/openssl-FIPS-limit-rsa-encrypt.patch index 66f37ac..d17ae3d 100644 --- a/openssl-FIPS-limit-rsa-encrypt.patch +++ b/openssl-FIPS-limit-rsa-encrypt.patch @@ -1,38 +1,41 @@ -From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001 +From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001 From: rpm-build -Date: Mon, 31 Jul 2023 09:41:28 +0200 -Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch Patch-name: 0058-FIPS-limit-rsa-encrypt.patch Patch-id: 58 Patch-status: | - # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 -From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd + # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - providers/common/securitycheck.c | 1 + - .../implementations/asymciphers/rsa_enc.c | 35 +++++++++++ - .../30-test_evp_data/evppkey_rsa_common.txt | 58 ++++++++++++++++++- - test/recipes/80-test_cms.t | 5 +- - test/recipes/80-test_ssl_old.t | 27 +++++++-- - 5 files changed, 118 insertions(+), 8 deletions(-) + providers/common/securitycheck.c | 1 + + .../implementations/asymciphers/rsa_enc.c | 35 +++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++----- + test/recipes/80-test_cms.t | 5 +- + test/recipes/80-test_ssl_old.t | 27 +++- + 5 files changed, 168 insertions(+), 40 deletions(-) -diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index e534ad0a5f..c017c658e5 100644 ---- a/providers/common/securitycheck.c -+++ b/providers/common/securitycheck.c -@@ -27,6 +27,7 @@ +Index: openssl-3.2.3/providers/common/securitycheck.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/securitycheck.c ++++ openssl-3.2.3/providers/common/securitycheck.c +@@ -27,6 +27,10 @@ * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. */ -+/* SUSE build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */ ++/* ++ * SUSE/openSUSE builds implement some extra limitations in ++ * providers/implementations/asymciphers/rsa_enc.c ++ */ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) { int protect = 0; -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index d865968058..872967bcb3 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa, +Index: openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/asymciphers/rsa_enc.c ++++ openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c +@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsac return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); } @@ -50,7 +53,7 @@ index d865968058..872967bcb3 100644 static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, size_t outsize, const unsigned char *in, size_t inlen) { -@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, +@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, u if (!ossl_prov_is_running()) return 0; @@ -69,7 +72,7 @@ index d865968058..872967bcb3 100644 if (out == NULL) { size_t len = RSA_size(prsactx->rsa); -@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, +@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, u if (!ossl_prov_is_running()) return 0; @@ -88,11 +91,11 @@ index d865968058..872967bcb3 100644 if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { if (out == NULL) { *outlen = SSL_MAX_MASTER_KEY_LENGTH; -diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index 8680797b90..95d5d51102 100644 ---- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377 +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -263,13 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # RSA decrypt @@ -102,13 +105,394 @@ index 8680797b90..95d5d51102 100644 Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 Output = "Hello World" - # Corrupted ciphertext --FIPSversion = <3.2.0 + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 +Availablein = default + # Note: disable the Bleichenbacher workaround to see if it passes Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Ctrl = rsa_pkcs1_implicit_rejection:0 +@@ -277,7 +277,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 Output = "Hello World" -@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: output is generated synthethically by the Bleichenbacher workaround + Decrypt = RSA-2048 +@@ -285,7 +285,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 +@@ -360,82 +360,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P + # RSA decrypt + + # a random positive test case ++Availablein = default + Decrypt = RSA-2048-2 + Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 + Output = "lorem ipsum dolor sit amet" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case decrypting to empty + Decrypt = RSA-2048-2 + Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to max length message + Decrypt = RSA-2048-2 + Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 + Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 + # invalid decrypting to message with length specified by second to last value from PRF ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 + Output = 0f9b + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to message with length specified by third to last value from PRF + Decrypt = RSA-2048-2 + Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 + Output = 4f02 + + # positive test with 11 byte long value ++Availablein = default + Decrypt = RSA-2048-2 + Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive that generates a 0 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 + Output = "lorem ipsum" + + # positive that generates a 245 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates an 11 byte long message + Decrypt = RSA-2048-2 + Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 + Output = af9ac70191c92413cb9f2d + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong first byte + # (0x01 instead of 0x00), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -443,7 +451,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5 + Output = a1f8c9255c35cfba403ccc + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong second byte + # (0x01 instead of 0x02), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -451,7 +459,7 @@ Input = 782c2b59a21a511243820acedd567c13 + Output = e6d700309ca0ed62452254 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte in first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -460,7 +468,7 @@ Input = 0096136621faf36d5290b16bd26295de + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte removed from first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -469,7 +477,7 @@ Input = 96136621faf36d5290b16bd26295de27 + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes in first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -478,7 +486,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880 + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes removed from first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -487,7 +495,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # and invalid ciphertext, otherwise valid but starting with 000002, decrypts + # to random 11 byte long synthetic plaintext + Decrypt = RSA-2048-2 +@@ -495,7 +503,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30 + Output = 3d4a054d9358209e9cbbb9 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte in first byte + # of padding + Decrypt = RSA-2048-2 +@@ -503,7 +511,7 @@ Input = 179598823812d2c58a7eb50521150a48 + Output = 1f037dd717b07d3e7f7359 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte at the eighth + # byte of padding + Decrypt = RSA-2048-2 +@@ -511,7 +519,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3 + Output = 63cb0bf65fc8255dd29e17 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with an otherwise valid plaintext but with missing separator + # byte + Decrypt = RSA-2048-2 +@@ -566,53 +574,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI + # RSA decrypt + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # malformed that generates length specified by 3rd last value from PRF + Decrypt = RSA-2049 + Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 + Output = 42 + + # simple positive test case ++Availablein = default + Decrypt = RSA-2049 + Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 + Output = "lorem ipsum" + + # positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates an 11 byte long message + Decrypt = RSA-2049 + Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca + Output = 1189b6f5498fd6df532b00 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-2049 + Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff + Output = f6d0f5b78082fe61c04674 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-2049 + Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 +@@ -676,14 +689,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu + PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid ciphertext that generates an empty synthetic one + Decrypt = RSA-3072 + Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that has PRF output with a length one byte too long + # in the last value + Decrypt = RSA-3072 +@@ -691,46 +704,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8 + Output = 56a3bea054e01338be9b7d7957539c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that generates a synthetic of maximum size + Decrypt = RSA-3072 + Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 + Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 + + # a positive test case that decrypts to 9 byte long value ++Availablein = default + Decrypt = RSA-3072 + Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde + Output = "forty two" + + # a positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # a positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message + Decrypt = RSA-3072 + Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 + Output = 257906ca6de8307728 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message based on + # second to last value from PRF + Decrypt = RSA-3072 +@@ -738,7 +756,7 @@ Input = 758c215aa6acd61248062b88284bf43c + Output = 043383c929060374ed + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates message based on 3rd last value from + # PRF + Decrypt = RSA-3072 +@@ -746,35 +764,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4 + Output = 70263fa6050534b9e0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-3072 + Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 + Output = 6d8d3a094ff3afff4c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-3072 + Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 + Output = c6ae80ffa80bc184b0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in first byte of padding + Decrypt = RSA-3072 + Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 + Output = a8a9301daa01bb25c7 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in eight byte of padding + Decrypt = RSA-3072 + Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 + Output = 6c716fe01d44398018 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with null separator missing + Decrypt = RSA-3072 + Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 +@@ -1153,36 +1171,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN h90qjKHS9PvY4Q== -----END PRIVATE KEY----- @@ -151,7 +535,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-1 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 +@@ -1207,36 +1231,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64 eG2e4XlBcKjI6A== -----END PRIVATE KEY----- @@ -194,7 +578,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-2 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z +@@ -1261,36 +1291,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W Ya4qnqZe1onjY5o= -----END PRIVATE KEY----- @@ -237,7 +621,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-3 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq +@@ -1315,36 +1351,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/ aD0x7TDrmEvkEro= -----END PRIVATE KEY----- @@ -280,7 +664,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-4 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B +@@ -1369,36 +1411,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/ MSwGUGLx60i3nRyDyw== -----END PRIVATE KEY----- @@ -323,7 +707,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-5 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC +@@ -1423,36 +1471,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq Yejn5Ly8mU2q+jBcRQ== -----END PRIVATE KEY----- @@ -366,7 +750,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-6 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS +@@ -1477,36 +1531,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4 FMlxv0gq65dqc3DC -----END PRIVATE KEY----- @@ -409,7 +793,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-7 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM +@@ -1531,36 +1591,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E 2MiPa249Z+lh3Luj0A== -----END PRIVATE KEY----- @@ -452,7 +836,7 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-8 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo +@@ -1591,36 +1657,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc tKo5Eb69iFQvBb4= -----END PRIVATE KEY----- @@ -495,11 +879,11 @@ index 8680797b90..95d5d51102 100644 Decrypt=RSA-OAEP-9 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index cbec426137..9ba7fbeed2 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = ( +Index: openssl-3.2.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.3/test/recipes/80-test_cms.t +@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = ( \&final_compare ], @@ -508,7 +892,7 @@ index cbec426137..9ba7fbeed2 100644 [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, "-aes256", "-stream", "-out", "{output}.cms", $smrsa1, -@@ -1022,6 +1022,9 @@ sub check_availability { +@@ -1125,6 +1125,9 @@ sub check_availability { return "$tnam: skipped, DSA disabled\n" if ($no_dsa && $tnam =~ / DSA/); @@ -518,30 +902,30 @@ index cbec426137..9ba7fbeed2 100644 return ""; } -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index e2dcb68fb5..0775112b40 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t -@@ -493,6 +493,18 @@ sub testssl { +Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t +@@ -497,6 +497,18 @@ sub testssl { # the default choice if TLSv1.3 enabled my $flag = $protocol eq "-tls1_3" ? "" : $protocol; my $ciphersuites = ""; -+ my %suse_skip_cipher = map {$_ => 1} qw( -+AES256-GCM-SHA384:@SECLEVEL=0 -+AES256-CCM8:@SECLEVEL=0 -+AES256-CCM:@SECLEVEL=0 -+AES128-GCM-SHA256:@SECLEVEL=0 -+AES128-CCM8:@SECLEVEL=0 -+AES128-CCM:@SECLEVEL=0 -+AES256-SHA256:@SECLEVEL=0 -+AES128-SHA256:@SECLEVEL=0 -+AES256-SHA:@SECLEVEL=0 -+AES128-SHA:@SECLEVEL=0 ++ my %FIPS_skip_cipher = map {$_ => 1} qw( ++ AES256-GCM-SHA384:@SECLEVEL=0 ++ AES256-CCM8:@SECLEVEL=0 ++ AES256-CCM:@SECLEVEL=0 ++ AES128-GCM-SHA256:@SECLEVEL=0 ++ AES128-CCM8:@SECLEVEL=0 ++ AES128-CCM:@SECLEVEL=0 ++ AES256-SHA256:@SECLEVEL=0 ++ AES128-SHA256:@SECLEVEL=0 ++ AES256-SHA:@SECLEVEL=0 ++ AES128-SHA:@SECLEVEL=0 + ); foreach my $cipher (@{$ciphersuites{$protocol}}) { if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { note "*****SKIPPING $protocol $cipher"; -@@ -504,11 +516,16 @@ sub testssl { +@@ -508,11 +520,16 @@ sub testssl { } else { $cipher = $cipher.':@SECLEVEL=0'; } @@ -550,7 +934,7 @@ index e2dcb68fb5..0775112b40 100644 - "-ciphersuites", $ciphersuites, - $flag || ()])), - "Testing $cipher"); -+ if ($provider eq "fips" && exists $suse_skip_cipher{$cipher}) { ++ if ($provider eq "fips" && exists $FIPS_skip_cipher{$cipher}) { + note "*****SKIPPING $cipher in SUSE FIPS mode"; + ok(1); + } else { @@ -563,6 +947,3 @@ index e2dcb68fb5..0775112b40 100644 } } next if $protocol eq "-tls1_3"; --- -2.41.0 - diff --git a/openssl-FIPS-release_num_in_version_string.patch b/openssl-FIPS-release_num_in_version_string.patch deleted file mode 100644 index bf852d1..0000000 --- a/openssl-FIPS-release_num_in_version_string.patch +++ /dev/null @@ -1,27 +0,0 @@ -Index: openssl-3.1.4/providers/fips/fipsprov.c -=================================================================== ---- openssl-3.1.4.orig/providers/fips/fipsprov.c -+++ openssl-3.1.4/providers/fips/fipsprov.c -@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p - - static int fips_get_params(void *provctx, OSSL_PARAM params[]) - { -+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE - OSSL_PARAM *p; - FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), - OSSL_LIB_CTX_FIPS_PROV_INDEX); - - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider")) - return 0; - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) - return 0; - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); -- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) -+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) - return 0; - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); - if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) diff --git a/openssl-FIPS-services-minimize.patch b/openssl-FIPS-services-minimize.patch index 9b0790a..89b2914 100644 --- a/openssl-FIPS-services-minimize.patch +++ b/openssl-FIPS-services-minimize.patch @@ -1,12 +1,13 @@ -From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 21 Aug 2023 12:55:57 +0200 -Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch +From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch Patch-name: 0045-FIPS-services-minimize.patch Patch-id: 45 Patch-status: | - # Minimize fips services + # # Minimize fips services +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- apps/ecparam.c | 7 +++ apps/req.c | 2 +- @@ -20,16 +21,16 @@ Patch-status: | test/evp_libctx_test.c | 9 +++- test/recipes/15-test_gendsa.t | 2 +- test/recipes/20-test_cli_fips.t | 3 +- - test/recipes/30-test_evp.t | 16 +++---- + test/recipes/30-test_evp.t | 20 ++++----- .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ test/recipes/80-test_cms.t | 22 +++++----- test/recipes/80-test_ssl_old.t | 2 +- - 16 files changed, 128 insertions(+), 47 deletions(-) + 16 files changed, 128 insertions(+), 51 deletions(-) -diff --git a/apps/ecparam.c b/apps/ecparam.c -index 9e9ad13683..9c66cf2434 100644 ---- a/apps/ecparam.c -+++ b/apps/ecparam.c +Index: openssl-3.2.3/apps/ecparam.c +=================================================================== +--- openssl-3.2.3.orig/apps/ecparam.c ++++ openssl-3.2.3/apps/ecparam.c @@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) const char *comment = curves[n].comment; const char *sname = OBJ_nid2sn(curves[n].nid); @@ -44,11 +45,11 @@ index 9e9ad13683..9c66cf2434 100644 if (comment == NULL) comment = "CURVE DESCRIPTION NOT AVAILABLE"; if (sname == NULL) -diff --git a/apps/req.c b/apps/req.c -index 23757044ab..5916914978 100644 ---- a/apps/req.c -+++ b/apps/req.c -@@ -266,7 +266,7 @@ int req_main(int argc, char **argv) +Index: openssl-3.2.3/apps/req.c +=================================================================== +--- openssl-3.2.3.orig/apps/req.c ++++ openssl-3.2.3/apps/req.c +@@ -268,7 +268,7 @@ int req_main(int argc, char **argv) unsigned long chtype = MBSTRING_ASC, reqflag = 0; #ifndef OPENSSL_NO_DES @@ -56,12 +57,12 @@ index 23757044ab..5916914978 100644 + cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); #endif - prog = opt_init(argc, argv, req_options); -diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c -index ed37e76969..eb836dfa6a 100644 ---- a/providers/common/capabilities.c -+++ b/providers/common/capabilities.c -@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = { + opt_set_unknown_name("digest"); +Index: openssl-3.2.3/providers/common/capabilities.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/capabilities.c ++++ openssl-3.2.3/providers/common/capabilities.c +@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), @@ -69,14 +70,37 @@ index ed37e76969..eb836dfa6a 100644 TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), TLS_GROUP_ENTRY("x448", "X448", "X448", 29), +# endif - # endif /* OPENSSL_NO_EC */ - # ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are as per RFC 7919 */ -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 518226dfc6..29438faea8 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = { + # ifndef FIPS_MODULE + TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), + TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), +Index: openssl-3.2.3/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/fipsprov.c ++++ openssl-3.2.3/providers/fips/fipsprov.c +@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p + + static int fips_get_params(void *provctx, OSSL_PARAM params[]) + { ++#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE + OSSL_PARAM *p; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) +@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. */ @@ -90,7 +114,7 @@ index 518226dfc6..29438faea8 100644 { NULL, NULL, NULL } }; -@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { +@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES @@ -102,7 +126,7 @@ index 518226dfc6..29438faea8 100644 #endif /* OPENSSL_NO_DES */ { { NULL, NULL, NULL }, NULL } }; -@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = { +@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[] #endif { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, @@ -114,38 +138,39 @@ index 518226dfc6..29438faea8 100644 { NULL, NULL, NULL } }; -@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = { - #endif +@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, + /* We don't certify Edwards curves in our FIPS provider */ + /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ + # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_tls1_prf_keyexch_functions }, -@@ -420,13 +424,15 @@ static const OSSL_ALGORITHM fips_keyexch[] = { +@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch static const OSSL_ALGORITHM fips_signature[] = { #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, + /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/ #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + /* We don't certify Edwards curves in our FIPS provider */ + /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions }, - { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, -+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, */ ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/ + # endif { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif - { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, -@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { +@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt PROV_DESCS_DHX }, #endif #ifndef OPENSSL_NO_DSA @@ -157,10 +182,10 @@ index 518226dfc6..29438faea8 100644 #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, PROV_DESCS_RSA }, -@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { - #ifndef OPENSSL_NO_EC +@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + /* We don't certify Edwards curves in our FIPS provider */ + /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, @@ -172,14 +197,14 @@ index 518226dfc6..29438faea8 100644 { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, - PROV_DESCS_ED448 }, + PROV_DESCS_ED448 }, */ + # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, - PROV_DESCS_TLS1_PRF_SIGN }, -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 2057378d3d..4b80bb70b9 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = +Index: openssl-3.2.3/providers/fips/self_test_data.inc +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test_data.inc ++++ openssl-3.2.3/providers/fips/self_test_data.inc +@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest /*- CIPHER TEST DATA */ /* DES3 test data */ @@ -187,7 +212,7 @@ index 2057378d3d..4b80bb70b9 100644 static const unsigned char des_ede3_cbc_pt[] = { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, -@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = { +@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 }; @@ -196,7 +221,7 @@ index 2057378d3d..4b80bb70b9 100644 /* AES-256 GCM test data */ static const unsigned char aes_256_gcm_key[] = { 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, -@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = { +@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[ # endif /* OPENSSL_NO_EC2M */ #endif /* OPENSSL_NO_EC */ @@ -215,7 +240,7 @@ index 2057378d3d..4b80bb70b9 100644 /* Hash DRBG inputs for signature KATs */ static const unsigned char sig_kat_entropyin[] = { -@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { +@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes }, # endif #endif /* OPENSSL_NO_EC */ @@ -223,7 +248,7 @@ index 2057378d3d..4b80bb70b9 100644 #ifndef OPENSSL_NO_DSA { OSSL_SELF_TEST_DESC_SIGN_DSA, -@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { +@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes ITM(dsa_expected_sig) }, #endif /* OPENSSL_NO_DSA */ @@ -231,11 +256,11 @@ index 2057378d3d..4b80bb70b9 100644 }; static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index d4261e8f7d..2a5504d104 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -689,6 +689,14 @@ static int rsa_verify_recover(void *vprsactx, +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; int ret; @@ -243,14 +268,19 @@ index d4261e8f7d..2a5504d104 100644 + size_t rsabits = RSA_bits(prsactx->rsa); + + if (rsabits < 2048) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + } +# endif if (!ossl_prov_is_running()) return 0; -@@ -777,6 +790,14 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, +@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; size_t rslen; @@ -258,17 +288,22 @@ index d4261e8f7d..2a5504d104 100644 + size_t rsabits = RSA_bits(prsactx->rsa); + + if (rsabits < 2048) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + } +# endif if (!ossl_prov_is_running()) return 0; -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index a5e60e8839..f9af07d12b 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c +Index: openssl-3.2.3/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.2.3.orig/ssl/ssl_ciph.c ++++ openssl-3.2.3/ssl/ssl_ciph.c @@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) ctx->disabled_mkey_mask = 0; ctx->disabled_auth_mask = 0; @@ -278,12 +313,12 @@ index a5e60e8839..f9af07d12b 100644 + /* * We ignore any errors from the fetches below. They are expected to fail - * if theose algorithms are not available. -diff --git a/test/acvp_test.c b/test/acvp_test.c -index fee880d441..13d7a0ea8b 100644 ---- a/test/acvp_test.c -+++ b/test/acvp_test.c -@@ -1476,6 +1476,7 @@ int setup_tests(void) + * if these algorithms are not available. +Index: openssl-3.2.3/test/acvp_test.c +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.c ++++ openssl-3.2.3/test/acvp_test.c +@@ -1478,6 +1478,7 @@ int setup_tests(void) OSSL_NELEM(dh_safe_prime_keyver_data)); #endif /* OPENSSL_NO_DH */ @@ -291,7 +326,7 @@ index fee880d441..13d7a0ea8b 100644 #ifndef OPENSSL_NO_DSA ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); -@@ -1483,6 +1484,7 @@ int setup_tests(void) +@@ -1485,6 +1486,7 @@ int setup_tests(void) ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); #endif /* OPENSSL_NO_DSA */ @@ -299,11 +334,11 @@ index fee880d441..13d7a0ea8b 100644 #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); -diff --git a/test/endecode_test.c b/test/endecode_test.c -index 9a437d8c64..53385028fc 100644 ---- a/test/endecode_test.c -+++ b/test/endecode_test.c -@@ -1407,6 +1407,7 @@ int setup_tests(void) +Index: openssl-3.2.3/test/endecode_test.c +=================================================================== +--- openssl-3.2.3.orig/test/endecode_test.c ++++ openssl-3.2.3/test/endecode_test.c +@@ -1424,6 +1424,7 @@ int setup_tests(void) * so no legacy tests. */ #endif @@ -311,7 +346,7 @@ index 9a437d8c64..53385028fc 100644 #ifndef OPENSSL_NO_DSA ADD_TEST_SUITE(DSA); ADD_TEST_SUITE_PARAMS(DSA); -@@ -1417,6 +1418,7 @@ int setup_tests(void) +@@ -1434,6 +1435,7 @@ int setup_tests(void) ADD_TEST_SUITE_PROTECTED_PVK(DSA); # endif #endif @@ -319,9 +354,9 @@ index 9a437d8c64..53385028fc 100644 #ifndef OPENSSL_NO_EC ADD_TEST_SUITE(EC); ADD_TEST_SUITE_PARAMS(EC); -@@ -1431,10 +1433,12 @@ int setup_tests(void) - ADD_TEST_SUITE(ECExplicitTri2G); - ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); +@@ -1454,10 +1456,12 @@ int setup_tests(void) + ADD_TEST_SUITE(SM2); + } # endif + if (is_fips == 0) { ADD_TEST_SUITE(ED25519); @@ -332,10 +367,10 @@ index 9a437d8c64..53385028fc 100644 /* * ED25519, ED448, X25519 and X448 have no support for * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. -diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c -index 2448c35a14..a7913cda4c 100644 ---- a/test/evp_libctx_test.c -+++ b/test/evp_libctx_test.c +Index: openssl-3.2.3/test/evp_libctx_test.c +=================================================================== +--- openssl-3.2.3.orig/test/evp_libctx_test.c ++++ openssl-3.2.3/test/evp_libctx_test.c @@ -21,6 +21,7 @@ */ #include "internal/deprecated.h" @@ -366,10 +401,10 @@ index 2448c35a14..a7913cda4c 100644 #endif return 1; } -diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t -index b495b08bda..69bd299521 100644 ---- a/test/recipes/15-test_gendsa.t -+++ b/test/recipes/15-test_gendsa.t +Index: openssl-3.2.3/test/recipes/15-test_gendsa.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t ++++ openssl-3.2.3/test/recipes/15-test_gendsa.t @@ -24,7 +24,7 @@ use lib bldtop_dir('.'); plan skip_all => "This test is unsupported in a no-dsa build" if disabled("dsa"); @@ -379,11 +414,11 @@ index b495b08bda..69bd299521 100644 plan tests => ($no_fips ? 0 : 2) # FIPS related tests -diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t -index 6d3c5ba1bb..2ba47b5fca 100644 ---- a/test/recipes/20-test_cli_fips.t -+++ b/test/recipes/20-test_cli_fips.t -@@ -273,8 +273,7 @@ SKIP: { +Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t ++++ openssl-3.2.3/test/recipes/20-test_cli_fips.t +@@ -278,8 +278,7 @@ SKIP: { } SKIP : { @@ -393,11 +428,11 @@ index 6d3c5ba1bb..2ba47b5fca 100644 subtest DSA => sub { my $testtext_prefix = 'DSA'; -diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t -index 9d7040ced2..f8beb538d4 100644 ---- a/test/recipes/30-test_evp.t -+++ b/test/recipes/30-test_evp.t -@@ -42,10 +42,8 @@ my @files = qw( +Index: openssl-3.2.3/test/recipes/30-test_evp.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp.t ++++ openssl-3.2.3/test/recipes/30-test_evp.t +@@ -46,10 +46,8 @@ my @files = qw( evpciph_aes_cts.txt evpciph_aes_wrap.txt evpciph_aes_stitched.txt @@ -408,20 +443,23 @@ index 9d7040ced2..f8beb538d4 100644 evpkdf_pbkdf1.txt evpkdf_pbkdf2.txt evpkdf_ss.txt -@@ -65,12 +63,6 @@ push @files, qw( - evppkey_ffdhe.txt +@@ -70,15 +68,6 @@ push @files, qw( evppkey_dh.txt ) unless $no_dh; --push @files, qw( + push @files, qw( - evpkdf_x942_des.txt - evpmac_cmac_des.txt - ) unless $no_des; -push @files, qw(evppkey_dsa.txt) unless $no_dsa; --push @files, qw(evppkey_ecx.txt) unless $no_ec; - push @files, qw( +-push @files, qw( +- evppkey_ecx.txt +- evppkey_mismatch_ecx.txt +- ) unless $no_ecx; +-push @files, qw( evppkey_ecc.txt evppkey_ecdh.txt -@@ -91,6 +83,7 @@ my @defltfiles = qw( + evppkey_ecdsa.txt +@@ -97,6 +86,7 @@ my @defltfiles = qw( evpciph_cast5.txt evpciph_chacha.txt evpciph_des.txt @@ -429,7 +467,7 @@ index 9d7040ced2..f8beb538d4 100644 evpciph_idea.txt evpciph_rc2.txt evpciph_rc4.txt -@@ -114,10 +107,17 @@ my @defltfiles = qw( +@@ -121,13 +111,19 @@ my @defltfiles = qw( evpmd_whirlpool.txt evppbe_scrypt.txt evppbe_pkcs12.txt @@ -445,13 +483,16 @@ index 9d7040ced2..f8beb538d4 100644 + evpmac_cmac_des.txt + ) unless $no_des; push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - -diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt -index 93195df97c..315413cd9b 100644 ---- a/test/recipes/30-test_evp_data/evpmac_common.txt -+++ b/test/recipes/30-test_evp_data/evpmac_common.txt -@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 Result = MAC_INIT_ERROR @@ -459,7 +500,7 @@ index 93195df97c..315413cd9b 100644 Title = KMAC Tests (From NIST) MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -@@ -350,12 +351,14 @@ Ctrl = xof:0 +@@ -373,12 +374,14 @@ Ctrl = xof:0 OutputSize = 32 BlockSize = 168 @@ -474,7 +515,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -363,6 +366,7 @@ Custom = "My Tagged Application" +@@ -386,6 +389,7 @@ Custom = "My Tagged Application" Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 Ctrl = size:32 @@ -482,7 +523,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC +@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6 OutputSize = 64 BlockSize = 136 @@ -497,7 +538,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -386,12 +392,14 @@ Ctrl = size:64 +@@ -409,12 +415,14 @@ Ctrl = size:64 Title = KMAC XOF Tests (From NIST) @@ -512,7 +553,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -399,6 +407,7 @@ Custom = "My Tagged Application" +@@ -422,6 +430,7 @@ Custom = "My Tagged Application" Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C XOF = 1 @@ -520,7 +561,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F +@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584 XOF = 1 Ctrl = size:32 @@ -528,7 +569,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -414,6 +424,7 @@ Custom = "My Tagged Application" +@@ -437,6 +447,7 @@ Custom = "My Tagged Application" Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B XOF = 1 @@ -536,7 +577,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -421,6 +432,7 @@ Custom = "" +@@ -444,6 +455,7 @@ Custom = "" Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B XOF = 1 @@ -544,7 +585,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -431,6 +443,7 @@ XOF = 1 +@@ -454,6 +466,7 @@ XOF = 1 Title = KMAC long customisation string (from NIST ACVP) @@ -552,7 +593,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -441,12 +454,14 @@ XOF = 1 +@@ -464,12 +477,14 @@ XOF = 1 Title = KMAC XOF Tests via ctrl (From NIST) @@ -567,7 +608,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -454,6 +469,7 @@ Custom = "My Tagged Application" +@@ -477,6 +492,7 @@ Custom = "My Tagged Application" Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C Ctrl = xof:1 @@ -575,7 +616,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F +@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584 Ctrl = xof:1 Ctrl = size:32 @@ -583,7 +624,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -469,6 +486,7 @@ Custom = "My Tagged Application" +@@ -492,6 +509,7 @@ Custom = "My Tagged Application" Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B Ctrl = xof:1 @@ -591,7 +632,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -476,6 +494,7 @@ Custom = "" +@@ -499,6 +517,7 @@ Custom = "" Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B Ctrl = xof:1 @@ -599,7 +640,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -486,6 +505,7 @@ Ctrl = xof:1 +@@ -509,6 +528,7 @@ Ctrl = xof:1 Title = KMAC long customisation string via ctrl (from NIST ACVP) @@ -607,7 +648,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -496,6 +516,7 @@ Ctrl = xof:1 +@@ -519,6 +539,7 @@ Ctrl = xof:1 Title = KMAC long customisation string negative test @@ -615,7 +656,7 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR +@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR Title = KMAC output is too large @@ -623,10 +664,10 @@ index 93195df97c..315413cd9b 100644 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 40dd585c18..cbec426137 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t +Index: openssl-3.2.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.3/test/recipes/80-test_cms.t @@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( \&final_compare ], @@ -699,7 +740,7 @@ index 40dd585c18..cbec426137 100644 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-signer", $smrsa1, "-signer", catfile($smdir, "smrsa2.pem"), -@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = ( +@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = ( my @smime_cms_tests = ( @@ -708,7 +749,7 @@ index 40dd585c18..cbec426137 100644 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", "-keyid", "-signer", $smrsa1, -@@ -261,7 +261,7 @@ my @smime_cms_tests = ( +@@ -263,7 +263,7 @@ my @smime_cms_tests = ( \&final_compare ], @@ -717,7 +758,7 @@ index 40dd585c18..cbec426137 100644 [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-signer", $smrsa1, "-signer", catfile($smdir, "smrsa2.pem"), -@@ -371,7 +371,7 @@ my @smime_cms_tests = ( +@@ -373,7 +373,7 @@ my @smime_cms_tests = ( \&final_compare ], @@ -726,10 +767,10 @@ index 40dd585c18..cbec426137 100644 [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", "-stream", "-out", "{output}.cms" ], -diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t -index 50b74a1e29..e2dcb68fb5 100644 ---- a/test/recipes/80-test_ssl_old.t -+++ b/test/recipes/80-test_ssl_old.t +Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t @@ -436,7 +436,7 @@ sub testssl { my @exkeys = (); my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; @@ -739,6 +780,3 @@ index 50b74a1e29..e2dcb68fb5 100644 push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; } --- -2.41.0 - diff --git a/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch b/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch index b061006..7b8f762 100644 --- a/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch +++ b/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch @@ -45,11 +45,11 @@ Signed-off-by: Clemens Lang util/perl/OpenSSL/paramnames.pm | 23 ++++++++++--------- 3 files changed, 37 insertions(+), 11 deletions(-) -Index: openssl-3.1.4/include/openssl/evp.h +Index: openssl-3.2.3/include/openssl/evp.h =================================================================== ---- openssl-3.1.4.orig/include/openssl/evp.h -+++ openssl-3.1.4/include/openssl/evp.h -@@ -801,6 +801,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -804,6 +804,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); @@ -60,11 +60,11 @@ Index: openssl-3.1.4/include/openssl/evp.h __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, EVP_PKEY *pkey); __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c =================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -1167,6 +1167,24 @@ static int rsa_get_ctx_params(void *vprs +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -1185,6 +1185,24 @@ static int rsa_get_ctx_params(void *vprs } } @@ -89,7 +89,7 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c return 1; } -@@ -1176,6 +1194,9 @@ static const OSSL_PARAM known_gettable_c +@@ -1194,6 +1212,9 @@ static const OSSL_PARAM known_gettable_c OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), @@ -99,51 +99,15 @@ Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c OSSL_PARAM_END }; -Index: openssl-3.1.4/include/openssl/core_names.h +Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm =================================================================== ---- openssl-3.1.4.orig/include/openssl/core_names.h -+++ openssl-3.1.4/include/openssl/core_names.h -@@ -458,6 +458,7 @@ extern "C" { - #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \ - OSSL_PKEY_PARAM_MGF1_PROPERTIES - #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE -+#define OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR "suse-fips-indicator" - - /* Asym cipher parameters */ - #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST -Index: openssl-3.1.4/providers/implementations/signature/rsa_sig.c -=================================================================== ---- openssl-3.1.4.orig/providers/implementations/signature/rsa_sig.c -+++ openssl-3.1.4/providers/implementations/signature/rsa_sig.c -@@ -696,8 +696,13 @@ static int rsa_verify_recover(void *vprs - size_t rsabits = RSA_bits(prsactx->rsa); - - if (rsabits < 2048) { -- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -- return 0; -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - } - # endif - -@@ -792,8 +797,13 @@ static int rsa_verify(void *vprsactx, co - size_t rsabits = RSA_bits(prsactx->rsa); - - if (rsabits < 2048) { -- ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -- return 0; -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - } - # endif +--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm ++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +@@ -386,6 +386,7 @@ my %params = ( + 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', + 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', + 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", ++ 'SIGNATURE_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", + 'SIGNATURE_PARAM_INSTANCE' => "instance", + 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", diff --git a/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch b/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch deleted file mode 100644 index e79c626..0000000 --- a/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch +++ /dev/null @@ -1,309 +0,0 @@ -From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001 -From: Todd Short -Date: Thu, 1 Feb 2024 23:09:38 -0500 -Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior - -Fix #23448 - -`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. - -Fix the setting of the parameter in the params code. -Update the TLS_PRF code to also use the params code. -Add tests. - -Reviewed-by: Shane Lontis -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/23456) - -(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b) ---- - crypto/evp/pmeth_lib.c | 65 ++++++++++++++++++- - providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++ - providers/implementations/kdfs/hkdf.c | 8 +++ - test/pkey_meth_kdf_test.c | 53 +++++++++++---- - 4 files changed, 156 insertions(+), 12 deletions(-) - -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index ba1971c..d0eeaf7 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - return EVP_PKEY_CTX_set_params(ctx, octet_string_params); - } - -+static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, -+ const char *param, int op, int ctrl, -+ const unsigned char *data, -+ int datalen) -+{ -+ OSSL_PARAM os_params[2]; -+ unsigned char *info = NULL; -+ size_t info_len = 0; -+ size_t info_alloc = 0; -+ int ret = 0; -+ -+ if (ctx == NULL || (ctx->operation & op) == 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); -+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */ -+ return -2; -+ } -+ -+ /* Code below to be removed when legacy support is dropped. */ -+ if (fallback) -+ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data)); -+ /* end of legacy support */ -+ -+ if (datalen < 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); -+ return 0; -+ } -+ -+ /* Get the original value length */ -+ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); -+ os_params[1] = OSSL_PARAM_construct_end(); -+ -+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) -+ return 0; -+ -+ /* Older provider that doesn't support getting this parameter */ -+ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) -+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); -+ -+ info_alloc = os_params[0].return_size + datalen; -+ if (info_alloc == 0) -+ return 0; -+ info = OPENSSL_zalloc(info_alloc); -+ if (info == NULL) -+ return 0; -+ info_len = os_params[0].return_size; -+ -+ os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc); -+ -+ /* if we have data, then go get it */ -+ if (info_len > 0) { -+ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) -+ goto error; -+ } -+ -+ /* Copy the input data */ -+ memcpy(&info[info_len], data, datalen); -+ ret = EVP_PKEY_CTX_set_params(ctx, os_params); -+ -+ error: -+ OPENSSL_clear_free(info, info_alloc); -+ return ret; -+} -+ - int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx, - const unsigned char *sec, int seclen) - { -@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx, - int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx, - const unsigned char *info, int infolen) - { -- return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL, -+ return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL, - OSSL_KDF_PARAM_INFO, - EVP_PKEY_OP_DERIVE, - EVP_PKEY_CTRL_HKDF_INFO, -diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c -index 527a866..4bc8102 100644 ---- a/providers/implementations/exchange/kdf_exch.c -+++ b/providers/implementations/exchange/kdf_exch.c -@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive; - static OSSL_FUNC_keyexch_freectx_fn kdf_freectx; - static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx; - static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params; -+static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params; - static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; - static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; - static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params; -+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; -+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; -+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params; - - typedef struct { - void *provctx; -@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[]) - return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params); - } - -+static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[]) -+{ -+ PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx; -+ -+ return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params); -+} -+ - static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx, - void *provctx, - const char *kdfname) -@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF") - KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF") - KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT") - -+static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx, -+ void *provctx, -+ const char *kdfname) -+{ -+ EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname, -+ NULL); -+ const OSSL_PARAM *params; -+ -+ if (kdf == NULL) -+ return NULL; -+ -+ params = EVP_KDF_gettable_ctx_params(kdf); -+ EVP_KDF_free(kdf); -+ -+ return params; -+} -+ -+#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \ -+ static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \ -+ void *provctx) \ -+ { \ -+ return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \ -+ } -+ -+KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF") -+KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF") -+KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT") -+ - #define KDF_KEYEXCH_FUNCTIONS(funcname) \ - const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \ - { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \ -@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT") - { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \ - { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \ - { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \ -+ { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \ - { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \ - (void (*)(void))kdf_##funcname##_settable_ctx_params }, \ -+ { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \ -+ (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \ - { 0, NULL } \ - }; - -diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index daa619b..dd65a2a 100644 ---- a/providers/implementations/kdfs/hkdf.c -+++ b/providers/implementations/kdfs/hkdf.c -@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - return 0; - return OSSL_PARAM_set_size_t(p, sz); - } -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { -+ if (ctx->info == NULL || ctx->info_len == 0) { -+ p->return_size = 0; -+ return 1; -+ } -+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); -+ } - return -2; - } - -@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), - OSSL_PARAM_END - }; - return known_gettable_ctx_params; -diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c -index f816d24..c09e2f3 100644 ---- a/test/pkey_meth_kdf_test.c -+++ b/test/pkey_meth_kdf_test.c -@@ -16,7 +16,7 @@ - #include - #include "testutil.h" - --static int test_kdf_tls1_prf(void) -+static int test_kdf_tls1_prf(int index) - { - int ret = 0; - EVP_PKEY_CTX *pctx; -@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void) - TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret"); - goto err; - } -- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -- (unsigned char *)"seed", 4) <= 0) { -- TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -- goto err; -+ if (index == 0) { -+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -+ (unsigned char *)"seed", 4) <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -+ goto err; -+ } -+ } else { -+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -+ (unsigned char *)"se", 2) <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -+ goto err; -+ } -+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, -+ (unsigned char *)"ed", 2) <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -+ goto err; -+ } - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -@@ -65,7 +78,7 @@ err: - return ret; - } - --static int test_kdf_hkdf(void) -+static int test_kdf_hkdf(int index) - { - int ret = 0; - EVP_PKEY_CTX *pctx; -@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void) - TEST_error("EVP_PKEY_CTX_set1_hkdf_key"); - goto err; - } -- if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) -+ if (index == 0) { -+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) - <= 0) { -- TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); -- goto err; -+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); -+ goto err; -+ } -+ } else { -+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3) -+ <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); -+ goto err; -+ } -+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2) -+ <= 0) { -+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); -+ goto err; -+ } - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -@@ -195,8 +221,13 @@ err: - - int setup_tests(void) - { -- ADD_TEST(test_kdf_tls1_prf); -- ADD_TEST(test_kdf_hkdf); -+ int tests = 1; -+ -+ if (fips_provider_version_ge(NULL, 3, 3, 1)) -+ tests = 2; -+ -+ ADD_ALL_TESTS(test_kdf_tls1_prf, tests); -+ ADD_ALL_TESTS(test_kdf_hkdf, tests); - #ifndef OPENSSL_NO_SCRYPT - ADD_TEST(test_kdf_scrypt); - #endif --- -2.45.1 - diff --git a/openssl-Force-FIPS.patch b/openssl-Force-FIPS.patch index 3ba0f44..60a7040 100644 --- a/openssl-Force-FIPS.patch +++ b/openssl-Force-FIPS.patch @@ -11,10 +11,10 @@ Patch-status: | crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) -Index: openssl-3.1.4/crypto/provider_conf.c +Index: openssl-3.1.7/crypto/provider_conf.c =================================================================== ---- openssl-3.1.4.orig/crypto/provider_conf.c -+++ openssl-3.1.4/crypto/provider_conf.c +--- openssl-3.1.7.orig/crypto/provider_conf.c ++++ openssl-3.1.7/crypto/provider_conf.c @@ -10,6 +10,8 @@ #include #include @@ -24,25 +24,25 @@ Index: openssl-3.1.4/crypto/provider_conf.c #include #include #include -@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_L +@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_L if (path != NULL) ossl_provider_set_module_path(prov, path); - ok = provider_conf_params(prov, NULL, NULL, value, cnf); + ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; - if (ok) { + if (ok == 1) { if (!ossl_provider_activate(prov, 1, 0)) { -@@ -197,6 +199,8 @@ static int provider_conf_activate(OSSL_L - } - if (!ok) +@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_L + + if (ok <= 0) ossl_provider_free(prov); + } else { + ok = 1; } CRYPTO_THREAD_unlock(pcgbl->lock); -@@ -309,6 +313,33 @@ static int provider_conf_init(CONF_IMODU +@@ -383,6 +387,32 @@ static int provider_conf_init(CONF_IMODU return 0; } @@ -54,7 +54,6 @@ Index: openssl-3.1.4/crypto/provider_conf.c + CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); + if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) + return 0; -+ + if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { + NCONF_free(fips_conf); + return 0; diff --git a/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch b/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch deleted file mode 100644 index 0ad7660..0000000 --- a/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch +++ /dev/null @@ -1,94 +0,0 @@ -From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001 -From: trinity-1686a -Date: Mon, 15 Apr 2024 11:13:14 +0200 -Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info - -Fixes #24130 -The regression was introduced in PR #23456. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24141) - -(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5) ---- - crypto/evp/pmeth_lib.c | 2 ++ - test/evp_extra_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 44 insertions(+) - -diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index d0eeaf7..bce1ebc 100644 ---- a/crypto/evp/pmeth_lib.c -+++ b/crypto/evp/pmeth_lib.c -@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, - if (datalen < 0) { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); - return 0; -+ } else if (datalen == 0) { -+ return 1; - } - - /* Get the original value length */ -diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c -index 9b3bee7..22121ce 100644 ---- a/test/evp_extra_test.c -+++ b/test/evp_extra_test.c -@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void) - return ret; - } - -+static int test_empty_salt_info_HKDF(void) -+{ -+ EVP_PKEY_CTX *pctx; -+ unsigned char out[20]; -+ size_t outlen; -+ int ret = 0; -+ unsigned char salt[] = ""; -+ unsigned char key[] = "012345678901234567890123456789"; -+ unsigned char info[] = ""; -+ const unsigned char expected[] = { -+ 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a, -+ 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06, -+ }; -+ size_t expectedlen = sizeof(expected); -+ -+ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq))) -+ goto done; -+ -+ outlen = sizeof(out); -+ memset(out, 0, outlen); -+ -+ if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, -+ sizeof(salt) - 1), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key, -+ sizeof(key) - 1), 0) -+ || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, -+ sizeof(info) - 1), 0) -+ || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0) -+ || !TEST_mem_eq(out, outlen, expected, expectedlen)) -+ goto done; -+ -+ ret = 1; -+ -+ done: -+ EVP_PKEY_CTX_free(pctx); -+ -+ return ret; -+} -+ - #ifndef OPENSSL_NO_EC - static int test_X509_PUBKEY_inplace(void) - { -@@ -5166,6 +5207,7 @@ int setup_tests(void) - #endif - ADD_TEST(test_HKDF); - ADD_TEST(test_emptyikm_HKDF); -+ ADD_TEST(test_empty_salt_info_HKDF); - #ifndef OPENSSL_NO_EC - ADD_TEST(test_X509_PUBKEY_inplace); - ADD_TEST(test_X509_PUBKEY_dup); --- -2.45.1 - diff --git a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch deleted file mode 100644 index 7c57d6b..0000000 --- a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch +++ /dev/null @@ -1,495 +0,0 @@ -From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001 -From: Danny Tsen -Date: Tue, 22 Aug 2023 15:58:53 -0400 -Subject: [PATCH] Improve performance for 6x unrolling with vpermxor - instruction - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21812) ---- - crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- - 1 file changed, 95 insertions(+), 50 deletions(-) - -diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl -index 60cf86f52aed2..38b9405a283b7 100755 ---- a/crypto/aes/asm/aesp8-ppc.pl -+++ b/crypto/aes/asm/aesp8-ppc.pl -@@ -99,11 +99,12 @@ - .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev - .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev - .long 0,0,0,0 ?asis -+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe - Lconsts: - mflr r0 - bcl 20,31,\$+4 - mflr $ptr #vvvvv "distance between . and rcon -- addi $ptr,$ptr,-0x48 -+ addi $ptr,$ptr,-0x58 - mtlr r0 - blr - .long 0 -@@ -2405,7 +2406,7 @@ () - my $key_=$key2; - my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); - $x00=0 if ($flavour =~ /osx/); --my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); -+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); - my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); - my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); - my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys -@@ -2460,6 +2461,18 @@ () - li $x70,0x70 - mtspr 256,r0 - -+ # Reverse eighty7 to 0x010101..87 -+ xxlor 2, 32+$eighty7, 32+$eighty7 -+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 -+ xxlor 1, 32+$eighty7, 32+$eighty7 -+ -+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe -+ mr $x70, r6 -+ bl Lconsts -+ lxvw4x 0, $x40, r6 # load XOR contents -+ mr r6, $x70 -+ li $x70,0x70 -+ - subi $rounds,$rounds,3 # -4 in total - - lvx $rndkey0,$x00,$key1 # load key schedule -@@ -2502,69 +2515,77 @@ () - ?vperm v31,v31,$twk5,$keyperm - lvx v25,$x10,$key_ # pre-load round[2] - -+ # Switch to use the following codes with 0x010101..87 to generate tweak. -+ # eighty7 = 0x010101..87 -+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits -+ # vand tmp, tmp, eighty7 # last byte with carry -+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) -+ # xxlor vsx, 0, 0 -+ # vpermxor tweak, tweak, tmp, vsx -+ - vperm $in0,$inout,$inptail,$inpperm - subi $inp,$inp,31 # undo "caller" - vxor $twk0,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vand $tmp,$tmp,$eighty7 - vxor $out0,$in0,$twk0 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - - lvx_u $in1,$x10,$inp - vxor $twk1,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in1,$in1,$in1,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out1,$in1,$twk1 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - - lvx_u $in2,$x20,$inp - andi. $taillen,$len,15 - vxor $twk2,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in2,$in2,$in2,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out2,$in2,$twk2 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - - lvx_u $in3,$x30,$inp - sub $len,$len,$taillen - vxor $twk3,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in3,$in3,$in3,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out3,$in3,$twk3 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - - lvx_u $in4,$x40,$inp - subi $len,$len,0x60 - vxor $twk4,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in4,$in4,$in4,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out4,$in4,$twk4 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - - lvx_u $in5,$x50,$inp - addi $inp,$inp,0x60 - vxor $twk5,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in5,$in5,$in5,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out5,$in5,$twk5 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 - - vxor v31,v31,$rndkey0 - mtctr $rounds -@@ -2590,6 +2611,8 @@ () - lvx v25,$x10,$key_ # round[4] - bdnz Loop_xts_enc6x - -+ xxlor 32+$eighty7, 1, 1 # 0x010101..87 -+ - subic $len,$len,96 # $len-=96 - vxor $in0,$twk0,v31 # xor with last round key - vcipher $out0,$out0,v24 -@@ -2599,7 +2622,6 @@ () - vaddubm $tweak,$tweak,$tweak - vcipher $out2,$out2,v24 - vcipher $out3,$out3,v24 -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out4,$out4,v24 - vcipher $out5,$out5,v24 - -@@ -2607,7 +2629,8 @@ () - vand $tmp,$tmp,$eighty7 - vcipher $out0,$out0,v25 - vcipher $out1,$out1,v25 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - vcipher $out2,$out2,v25 - vcipher $out3,$out3,v25 - vxor $in1,$twk1,v31 -@@ -2618,13 +2641,13 @@ () - - and r0,r0,$len - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out0,$out0,v26 - vcipher $out1,$out1,v26 - vand $tmp,$tmp,$eighty7 - vcipher $out2,$out2,v26 - vcipher $out3,$out3,v26 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - vcipher $out4,$out4,v26 - vcipher $out5,$out5,v26 - -@@ -2638,7 +2661,6 @@ () - vaddubm $tweak,$tweak,$tweak - vcipher $out0,$out0,v27 - vcipher $out1,$out1,v27 -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out2,$out2,v27 - vcipher $out3,$out3,v27 - vand $tmp,$tmp,$eighty7 -@@ -2646,7 +2668,8 @@ () - vcipher $out5,$out5,v27 - - addi $key_,$sp,$FRAME+15 # rewind $key_ -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - vcipher $out0,$out0,v28 - vcipher $out1,$out1,v28 - vxor $in3,$twk3,v31 -@@ -2655,7 +2678,6 @@ () - vcipher $out2,$out2,v28 - vcipher $out3,$out3,v28 - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out4,$out4,v28 - vcipher $out5,$out5,v28 - lvx v24,$x00,$key_ # re-pre-load round[1] -@@ -2663,7 +2685,8 @@ () - - vcipher $out0,$out0,v29 - vcipher $out1,$out1,v29 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - vcipher $out2,$out2,v29 - vcipher $out3,$out3,v29 - vxor $in4,$twk4,v31 -@@ -2673,14 +2696,14 @@ () - vcipher $out5,$out5,v29 - lvx v25,$x10,$key_ # re-pre-load round[2] - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - - vcipher $out0,$out0,v30 - vcipher $out1,$out1,v30 - vand $tmp,$tmp,$eighty7 - vcipher $out2,$out2,v30 - vcipher $out3,$out3,v30 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - vcipher $out4,$out4,v30 - vcipher $out5,$out5,v30 - vxor $in5,$twk5,v31 -@@ -2690,7 +2713,6 @@ () - vcipherlast $out0,$out0,$in0 - lvx_u $in0,$x00,$inp # load next input block - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipherlast $out1,$out1,$in1 - lvx_u $in1,$x10,$inp - vcipherlast $out2,$out2,$in2 -@@ -2703,7 +2725,10 @@ () - vcipherlast $out4,$out4,$in4 - le?vperm $in2,$in2,$in2,$leperm - lvx_u $in4,$x40,$inp -- vxor $tweak,$tweak,$tmp -+ xxlor 10, 32+$in0, 32+$in0 -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 -+ xxlor 32+$in0, 10, 10 - vcipherlast $tmp,$out5,$in5 # last block might be needed - # in stealing mode - le?vperm $in3,$in3,$in3,$leperm -@@ -2736,6 +2761,8 @@ () - mtctr $rounds - beq Loop_xts_enc6x # did $len-=96 borrow? - -+ xxlor 32+$eighty7, 2, 2 # 0x870101..01 -+ - addic. $len,$len,0x60 - beq Lxts_enc6x_zero - cmpwi $len,0x20 -@@ -3112,6 +3139,18 @@ () - li $x70,0x70 - mtspr 256,r0 - -+ # Reverse eighty7 to 0x010101..87 -+ xxlor 2, 32+$eighty7, 32+$eighty7 -+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 -+ xxlor 1, 32+$eighty7, 32+$eighty7 -+ -+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe -+ mr $x70, r6 -+ bl Lconsts -+ lxvw4x 0, $x40, r6 # load XOR contents -+ mr r6, $x70 -+ li $x70,0x70 -+ - subi $rounds,$rounds,3 # -4 in total - - lvx $rndkey0,$x00,$key1 # load key schedule -@@ -3159,64 +3198,64 @@ () - vxor $twk0,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vand $tmp,$tmp,$eighty7 - vxor $out0,$in0,$twk0 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - - lvx_u $in1,$x10,$inp - vxor $twk1,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in1,$in1,$in1,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out1,$in1,$twk1 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - - lvx_u $in2,$x20,$inp - andi. $taillen,$len,15 - vxor $twk2,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in2,$in2,$in2,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out2,$in2,$twk2 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - - lvx_u $in3,$x30,$inp - sub $len,$len,$taillen - vxor $twk3,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in3,$in3,$in3,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out3,$in3,$twk3 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - - lvx_u $in4,$x40,$inp - subi $len,$len,0x60 - vxor $twk4,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in4,$in4,$in4,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out4,$in4,$twk4 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - - lvx_u $in5,$x50,$inp - addi $inp,$inp,0x60 - vxor $twk5,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in5,$in5,$in5,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out5,$in5,$twk5 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 - - vxor v31,v31,$rndkey0 - mtctr $rounds -@@ -3242,6 +3281,8 @@ () - lvx v25,$x10,$key_ # round[4] - bdnz Loop_xts_dec6x - -+ xxlor 32+$eighty7, 1, 1 -+ - subic $len,$len,96 # $len-=96 - vxor $in0,$twk0,v31 # xor with last round key - vncipher $out0,$out0,v24 -@@ -3251,7 +3292,6 @@ () - vaddubm $tweak,$tweak,$tweak - vncipher $out2,$out2,v24 - vncipher $out3,$out3,v24 -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out4,$out4,v24 - vncipher $out5,$out5,v24 - -@@ -3259,7 +3299,8 @@ () - vand $tmp,$tmp,$eighty7 - vncipher $out0,$out0,v25 - vncipher $out1,$out1,v25 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - vncipher $out2,$out2,v25 - vncipher $out3,$out3,v25 - vxor $in1,$twk1,v31 -@@ -3270,13 +3311,13 @@ () - - and r0,r0,$len - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out0,$out0,v26 - vncipher $out1,$out1,v26 - vand $tmp,$tmp,$eighty7 - vncipher $out2,$out2,v26 - vncipher $out3,$out3,v26 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - vncipher $out4,$out4,v26 - vncipher $out5,$out5,v26 - -@@ -3290,7 +3331,6 @@ () - vaddubm $tweak,$tweak,$tweak - vncipher $out0,$out0,v27 - vncipher $out1,$out1,v27 -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out2,$out2,v27 - vncipher $out3,$out3,v27 - vand $tmp,$tmp,$eighty7 -@@ -3298,7 +3338,8 @@ () - vncipher $out5,$out5,v27 - - addi $key_,$sp,$FRAME+15 # rewind $key_ -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - vncipher $out0,$out0,v28 - vncipher $out1,$out1,v28 - vxor $in3,$twk3,v31 -@@ -3307,7 +3348,6 @@ () - vncipher $out2,$out2,v28 - vncipher $out3,$out3,v28 - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out4,$out4,v28 - vncipher $out5,$out5,v28 - lvx v24,$x00,$key_ # re-pre-load round[1] -@@ -3315,7 +3355,8 @@ () - - vncipher $out0,$out0,v29 - vncipher $out1,$out1,v29 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - vncipher $out2,$out2,v29 - vncipher $out3,$out3,v29 - vxor $in4,$twk4,v31 -@@ -3325,14 +3366,14 @@ () - vncipher $out5,$out5,v29 - lvx v25,$x10,$key_ # re-pre-load round[2] - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - - vncipher $out0,$out0,v30 - vncipher $out1,$out1,v30 - vand $tmp,$tmp,$eighty7 - vncipher $out2,$out2,v30 - vncipher $out3,$out3,v30 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - vncipher $out4,$out4,v30 - vncipher $out5,$out5,v30 - vxor $in5,$twk5,v31 -@@ -3342,7 +3383,6 @@ () - vncipherlast $out0,$out0,$in0 - lvx_u $in0,$x00,$inp # load next input block - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipherlast $out1,$out1,$in1 - lvx_u $in1,$x10,$inp - vncipherlast $out2,$out2,$in2 -@@ -3355,7 +3395,10 @@ () - vncipherlast $out4,$out4,$in4 - le?vperm $in2,$in2,$in2,$leperm - lvx_u $in4,$x40,$inp -- vxor $tweak,$tweak,$tmp -+ xxlor 10, 32+$in0, 32+$in0 -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 -+ xxlor 32+$in0, 10, 10 - vncipherlast $out5,$out5,$in5 - le?vperm $in3,$in3,$in3,$leperm - lvx_u $in5,$x50,$inp -@@ -3386,6 +3429,8 @@ () - mtctr $rounds - beq Loop_xts_dec6x # did $len-=96 borrow? - -+ xxlor 32+$eighty7, 2, 2 -+ - addic. $len,$len,0x60 - beq Lxts_dec6x_zero - cmpwi $len,0x20 diff --git a/openssl-Remove-EC-curves.patch b/openssl-Remove-EC-curves.patch index 3782ce0..fa4efdf 100644 --- a/openssl-Remove-EC-curves.patch +++ b/openssl-Remove-EC-curves.patch @@ -15,11 +15,11 @@ Patch-status: | test/recipes/15-test_genec.t | 27 ----------- 5 files changed, 1 insertion(+), 147 deletions(-) -diff --git a/apps/speed.c b/apps/speed.c -index cace25eda1..d527f12f18 100644 ---- a/apps/speed.c -+++ b/apps/speed.c -@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ +Index: openssl-3.2.3/apps/speed.c +=================================================================== +--- openssl-3.2.3.orig/apps/speed.c ++++ openssl-3.2.3/apps/speed.c +@@ -401,7 +401,7 @@ static double ffdh_results[FFDH_NUM][1]; #endif /* OPENSSL_NO_DH */ enum ec_curves_t { @@ -28,7 +28,7 @@ index cace25eda1..d527f12f18 100644 #ifndef OPENSSL_NO_EC2M R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -@@ -395,8 +395,6 @@ enum ec_curves_t { +@@ -411,8 +411,6 @@ enum ec_curves_t { }; /* list of ecdsa curves */ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { @@ -37,8 +37,8 @@ index cace25eda1..d527f12f18 100644 {"ecdsap224", R_EC_P224}, {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, -@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { - enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; +@@ -445,8 +443,6 @@ enum { + }; /* list of ecdh curves, extension of |ecdsa_choices| list above */ static const OPT_PAIR ecdh_choices[EC_NUM] = { - {"ecdhp160", R_EC_P160}, @@ -46,7 +46,7 @@ index cace25eda1..d527f12f18 100644 {"ecdhp224", R_EC_P224}, {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, -@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) +@@ -1781,8 +1777,6 @@ int speed_main(int argc, char **argv) */ static const EC_CURVE ec_curves[EC_NUM] = { /* Prime Curves */ @@ -55,10 +55,10 @@ index cace25eda1..d527f12f18 100644 {"nistp224", NID_secp224r1, 224}, {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, -diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c -index 1ec10143d2..82b95294b4 100644 ---- a/crypto/evp/ec_support.c -+++ b/crypto/evp/ec_support.c +Index: openssl-3.2.3/crypto/evp/ec_support.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/ec_support.c ++++ openssl-3.2.3/crypto/evp/ec_support.c @@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { static const EC_NAME2NID curve_list[] = { /* prime field curves */ @@ -149,7 +149,7 @@ index 1ec10143d2..82b95294b4 100644 {"brainpoolP256r1", NID_brainpoolP256r1 }, {"brainpoolP256t1", NID_brainpoolP256t1 }, {"brainpoolP320r1", NID_brainpoolP320r1 }, -@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) +@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n /* Functions to translate between common NIST curve names and NIDs */ static const EC_NAME2NID nist_curves[] = { @@ -167,15 +167,14 @@ index 1ec10143d2..82b95294b4 100644 {"P-224", NID_secp224r1}, {"P-256", NID_X9_62_prime256v1}, {"P-384", NID_secp384r1}, -diff --git a/test/acvp_test.inc b/test/acvp_test.inc -index ad11d3ae1e..894a0bff9d 100644 ---- a/test/acvp_test.inc -+++ b/test/acvp_test.inc -@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { - 0xB1, 0xAC, +Index: openssl-3.2.3/test/acvp_test.inc +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.inc ++++ openssl-3.2.3/test/acvp_test.inc +@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ }; static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { -- { + { - "SHA-1", - "P-192", - ITM(ecdsa_sigver_msg0), @@ -184,13 +183,14 @@ index ad11d3ae1e..894a0bff9d 100644 - ITM(ecdsa_sigver_s0), - PASS, - }, - { +- { "SHA2-512", "P-521", -diff --git a/test/ecdsatest.h b/test/ecdsatest.h -index 63fe319025..06b5c0aac5 100644 ---- a/test/ecdsatest.h -+++ b/test/ecdsatest.h + ITM(ecdsa_sigver_msg1), +Index: openssl-3.2.3/test/ecdsatest.h +=================================================================== +--- openssl-3.2.3.orig/test/ecdsatest.h ++++ openssl-3.2.3/test/ecdsatest.h @@ -32,23 +32,6 @@ typedef struct { } ecdsa_cavs_kat_t; @@ -215,11 +215,11 @@ index 63fe319025..06b5c0aac5 100644 /* prime KATs from NIST CAVP */ {NID_secp224r1, NID_sha224, "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t -index 2dfed387ca..c733b68f83 100644 ---- a/test/recipes/15-test_genec.t -+++ b/test/recipes/15-test_genec.t -@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" +Index: openssl-3.2.3/test/recipes/15-test_genec.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/15-test_genec.t ++++ openssl-3.2.3/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport if disabled("ec"); my @prime_curves = qw( @@ -265,6 +265,3 @@ index 2dfed387ca..c733b68f83 100644 P-224 P-256 P-384 --- -2.41.0 - diff --git a/openssl-TESTS-Disable-default-provider-crypto-policies.patch b/openssl-TESTS-Disable-default-provider-crypto-policies.patch new file mode 100644 index 0000000..6a011f0 --- /dev/null +++ b/openssl-TESTS-Disable-default-provider-crypto-policies.patch @@ -0,0 +1,43 @@ +Index: openssl-3.2.3/apps/openssl.cnf +=================================================================== +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -45,8 +45,8 @@ tsa_policy3 = 1.2.3.4.5.7 + [openssl_init] + providers = provider_sect + # Load default TLS policy configuration +-ssl_conf = ssl_module +-alg_section = evp_properties ++##ssl_conf = ssl_module ++##alg_section = evp_properties + + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems +@@ -61,20 +61,20 @@ alg_section = evp_properties + # to side-channel attacks and as such have been deprecated. + + [provider_sect] +-default = default_sect ++##default = default_sect + ##legacy = legacy_sect + +-[default_sect] +-activate = 1 ++##[default_sect] ++##activate = 1 + + ##[legacy_sect] + ##activate = 1 + +-[ ssl_module ] +-system_default = crypto_policy ++##[ ssl_module ] ++##system_default = crypto_policy + +-[ crypto_policy ] +-.include = /etc/crypto-policies/back-ends/opensslcnf.config ++##[ crypto_policy ] ++##.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-crypto-policies-support.patch b/openssl-crypto-policies-support.patch deleted file mode 100644 index c7f3f16..0000000 --- a/openssl-crypto-policies-support.patch +++ /dev/null @@ -1,35 +0,0 @@ -Add default section to load crypto-policies configuration for TLS. - -It needs to be reverted before running tests. - ---- - apps/openssl.cnf | 20 ++++++++++++++++++-- - 2 files changed, 19 insertions(+), 3 deletions(-) - -Index: openssl-3.2.0/apps/openssl.cnf -=================================================================== ---- openssl-3.2.0.orig/apps/openssl.cnf -+++ openssl-3.2.0/apps/openssl.cnf -@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 - - [openssl_init] - providers = provider_sect -+# Load default TLS policy configuration -+ssl_conf = ssl_module - - # List of providers to load - [provider_sect] -@@ -71,6 +73,13 @@ default = default_sect - [default_sect] - # activate = 1 - -+[ ssl_module ] -+ -+system_default = crypto_policy -+ -+[ crypto_policy ] -+ -+.include = /etc/crypto-policies/back-ends/opensslcnf.config - - #################################################################### - [ ca ] diff --git a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch deleted file mode 100644 index 3bb9496..0000000 --- a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch +++ /dev/null @@ -1,2159 +0,0 @@ -From 01d901e470d9e035a3bd78e77b9438a4cc0da785 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 12 Jul 2023 12:25:22 +1000 -Subject: [PATCH] ec: 56-bit Limb Solinas' Strategy for secp384r1 - -Adopt a 56-bit redundant-limb Solinas' reduction approach for efficient -modular multiplication in P384. This has the affect of accelerating -digital signing by 446% and verification by 106%. The implementation -strategy and names of methods are the same as that provided in -ecp_nistp224 and ecp_nistp521. - -As in Commit 1036749883cc ("ec: Add run time code selection for p521 -field operations"), allow for run time selection of implementation for -felem_{square,mul}, where an assembly implementation is proclaimed to -be present when ECP_NISTP384_ASM is present. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/build.info | 2 - crypto/ec/ec_curve.c | 4 - crypto/ec/ec_lib.c | 8 - crypto/ec/ec_local.h | 27 - crypto/ec/ecp_nistp384.c | 1988 +++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 2027 insertions(+), 2 deletions(-) - create mode 100644 crypto/ec/ecp_nistp384.c - ---- a/crypto/ec/build.info -+++ b/crypto/ec/build.info -@@ -59,7 +59,7 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c e - curve448/arch_32/f_impl32.c - - IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] -- $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c -+ $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp384.c ecp_nistp521.c ecp_nistputil.c - ENDIF - - SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c \ ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -2838,6 +2838,8 @@ static const ec_list_element curve_list[ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -+ ossl_ec_GFp_nistp384_method, - # else - 0, - # endif -@@ -2931,6 +2933,8 @@ static const ec_list_element curve_list[ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -+ ossl_ec_GFp_nistp384_method, - # else - 0, - # endif ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -102,12 +102,16 @@ void EC_pre_comp_free(EC_GROUP *group) - case PCT_nistp256: - EC_nistp256_pre_comp_free(group->pre_comp.nistp256); - break; -+ case PCT_nistp384: -+ ossl_ec_nistp384_pre_comp_free(group->pre_comp.nistp384); -+ break; - case PCT_nistp521: - EC_nistp521_pre_comp_free(group->pre_comp.nistp521); - break; - #else - case PCT_nistp224: - case PCT_nistp256: -+ case PCT_nistp384: - case PCT_nistp521: - break; - #endif -@@ -191,12 +195,16 @@ int EC_GROUP_copy(EC_GROUP *dest, const - case PCT_nistp256: - dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256); - break; -+ case PCT_nistp384: -+ dest->pre_comp.nistp384 = ossl_ec_nistp384_pre_comp_dup(src->pre_comp.nistp384); -+ break; - case PCT_nistp521: - dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521); - break; - #else - case PCT_nistp224: - case PCT_nistp256: -+ case PCT_nistp384: - case PCT_nistp521: - break; - #endif ---- a/crypto/ec/ec_local.h -+++ b/crypto/ec/ec_local.h -@@ -203,6 +203,7 @@ struct ec_method_st { - */ - typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; - typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; -+typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; - typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; - typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; - typedef struct ec_pre_comp_st EC_PRE_COMP; -@@ -264,12 +265,13 @@ struct ec_group_st { - */ - enum { - PCT_none, -- PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, -+ PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, - PCT_ec - } pre_comp_type; - union { - NISTP224_PRE_COMP *nistp224; - NISTP256_PRE_COMP *nistp256; -+ NISTP384_PRE_COMP *nistp384; - NISTP521_PRE_COMP *nistp521; - NISTZ256_PRE_COMP *nistz256; - EC_PRE_COMP *ec; -@@ -333,6 +335,7 @@ static ossl_inline int ec_point_is_compa - - NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); - NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); -+NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); - NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); - NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); - NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); -@@ -341,6 +344,7 @@ EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_C - void EC_pre_comp_free(EC_GROUP *group); - void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); - void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); -+void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); - void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); - void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); - void EC_ec_pre_comp_free(EC_PRE_COMP *); -@@ -552,6 +556,27 @@ int ossl_ec_GFp_nistp256_points_mul(cons - int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); - int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); - -+/* method functions in ecp_nistp384.c */ -+int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); -+int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, -+ const BIGNUM *a, const BIGNUM *n, -+ BN_CTX *); -+int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, -+ const EC_POINT *point, -+ BIGNUM *x, BIGNUM *y, -+ BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], const BIGNUM *scalars[], -+ BN_CTX *); -+int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], -+ const BIGNUM *scalars[], BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); -+const EC_METHOD *ossl_ec_GFp_nistp384_method(void); -+ - /* method functions in ecp_nistp521.c */ - int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); - int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, ---- /dev/null -+++ b/crypto/ec/ecp_nistp384.c -@@ -0,0 +1,1988 @@ -+/* -+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Copyright 2023 IBM Corp. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+/* -+ * Designed for 56-bit limbs by Rohan McLure . -+ * The layout is based on that of ecp_nistp{224,521}.c, allowing even for asm -+ * acceleration of felem_{square,mul} as supported in these files. -+ */ -+ -+#include -+ -+#include -+#include -+#include "ec_local.h" -+ -+#include "internal/numbers.h" -+ -+#ifndef INT128_MAX -+# error "Your compiler doesn't appear to support 128-bit integer types" -+#endif -+ -+typedef uint8_t u8; -+typedef uint64_t u64; -+ -+/* -+ * The underlying field. P384 operates over GF(2^384-2^128-2^96+2^32-1). We -+ * can serialize an element of this field into 48 bytes. We call this an -+ * felem_bytearray. -+ */ -+ -+typedef u8 felem_bytearray[48]; -+ -+/* -+ * These are the parameters of P384, taken from FIPS 186-3, section D.1.2.4. -+ * These values are big-endian. -+ */ -+static const felem_bytearray nistp384_curve_params[5] = { -+ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, -+ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a = -3 */ -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC}, -+ {0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, /* b */ -+ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, -+ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, -+ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF}, -+ {0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, /* x */ -+ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, -+ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, -+ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7}, -+ {0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, /* y */ -+ 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, -+ 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, -+ 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F}, -+}; -+ -+/*- -+ * The representation of field elements. -+ * ------------------------------------ -+ * -+ * We represent field elements with seven values. These values are either 64 or -+ * 128 bits and the field element represented is: -+ * v[0]*2^0 + v[1]*2^56 + v[2]*2^112 + ... + v[6]*2^336 (mod p) -+ * Each of the seven values is called a 'limb'. Since the limbs are spaced only -+ * 56 bits apart, but are greater than 56 bits in length, the most significant -+ * bits of each limb overlap with the least significant bits of the next -+ * -+ * This representation is considered to be 'redundant' in the sense that -+ * intermediate values can each contain more than a 56-bit value in each limb. -+ * Reduction causes all but the final limb to be reduced to contain a value less -+ * than 2^56, with the final value represented allowed to be larger than 2^384, -+ * inasmuch as we can be sure that arithmetic overflow remains impossible. The -+ * reduced value must of course be congruent to the unreduced value. -+ * -+ * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a -+ * 'widefelem', featuring enough bits to store the result of a multiplication -+ * and even some further arithmetic without need for immediate reduction. -+ */ -+ -+#define NLIMBS 7 -+ -+typedef uint64_t limb; -+typedef uint128_t widelimb; -+typedef limb limb_aX __attribute((__aligned__(1))); -+typedef limb felem[NLIMBS]; -+typedef widelimb widefelem[2*NLIMBS-1]; -+ -+static const limb bottom56bits = 0xffffffffffffff; -+ -+/* Helper functions (de)serialising reduced field elements in little endian */ -+static void bin48_to_felem(felem out, const u8 in[48]) -+{ -+ memset(out, 0, 56); -+ out[0] = (*((limb *) & in[0])) & bottom56bits; -+ out[1] = (*((limb_aX *) & in[7])) & bottom56bits; -+ out[2] = (*((limb_aX *) & in[14])) & bottom56bits; -+ out[3] = (*((limb_aX *) & in[21])) & bottom56bits; -+ out[4] = (*((limb_aX *) & in[28])) & bottom56bits; -+ out[5] = (*((limb_aX *) & in[35])) & bottom56bits; -+ memmove(&out[6], &in[42], 6); -+} -+ -+static void felem_to_bin48(u8 out[48], const felem in) -+{ -+ memset(out, 0, 48); -+ (*((limb *) & out[0])) |= (in[0] & bottom56bits); -+ (*((limb_aX *) & out[7])) |= (in[1] & bottom56bits); -+ (*((limb_aX *) & out[14])) |= (in[2] & bottom56bits); -+ (*((limb_aX *) & out[21])) |= (in[3] & bottom56bits); -+ (*((limb_aX *) & out[28])) |= (in[4] & bottom56bits); -+ (*((limb_aX *) & out[35])) |= (in[5] & bottom56bits); -+ memmove(&out[42], &in[6], 6); -+} -+ -+/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ -+static int BN_to_felem(felem out, const BIGNUM *bn) -+{ -+ felem_bytearray b_out; -+ int num_bytes; -+ -+ if (BN_is_negative(bn)) { -+ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); -+ return 0; -+ } -+ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); -+ if (num_bytes < 0) { -+ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); -+ return 0; -+ } -+ bin48_to_felem(out, b_out); -+ return 1; -+} -+ -+/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ -+static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) -+{ -+ felem_bytearray b_out; -+ -+ felem_to_bin48(b_out, in); -+ return BN_lebin2bn(b_out, sizeof(b_out), out); -+} -+ -+/*- -+ * Field operations -+ * ---------------- -+ */ -+ -+static void felem_one(felem out) -+{ -+ out[0] = 1; -+ memset(&out[1], 0, sizeof(limb) * (NLIMBS-1)); -+} -+ -+static void felem_assign(felem out, const felem in) -+{ -+ memcpy(out, in, sizeof(felem)); -+} -+ -+/* felem_sum64 sets out = out + in. */ -+static void felem_sum64(felem out, const felem in) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] += in[i]; -+} -+ -+/* felem_scalar sets out = in * scalar */ -+static void felem_scalar(felem out, const felem in, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] = in[i] * scalar; -+} -+ -+/* felem_scalar64 sets out = out * scalar */ -+static void felem_scalar64(felem out, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] *= scalar; -+} -+ -+/* felem_scalar128 sets out = out * scalar */ -+static void felem_scalar128(widefelem out, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < 2*NLIMBS-1; i++) -+ out[i] *= scalar; -+} -+ -+/*- -+ * felem_neg sets |out| to |-in| -+ * On entry: -+ * in[i] < 2^60 - 2^29 -+ * On exit: -+ * out[i] < 2^60 -+ */ -+static void felem_neg(felem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^12 * p redundantly with each limb -+ * of the form 2^60 + ... -+ */ -+ static const limb two60m52m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 52) -+ - (((limb) 1) << 4); -+ static const limb two60p44m12 = (((limb) 1) << 60) -+ + (((limb) 1) << 44) -+ - (((limb) 1) << 12); -+ static const limb two60m28m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 28) -+ - (((limb) 1) << 4); -+ static const limb two60m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 4); -+ -+ out[0] = two60p44m12 - in[0]; -+ out[1] = two60m52m4 - in[1]; -+ out[2] = two60m28m4 - in[2]; -+ out[3] = two60m4 - in[3]; -+ out[4] = two60m4 - in[4]; -+ out[5] = two60m4 - in[5]; -+ out[6] = two60m4 - in[6]; -+} -+ -+/*- -+ * felem_diff64 subtracts |in| from |out| -+ * On entry: -+ * in[i] < 2^60 - 2^52 - 2^4 -+ * On exit: -+ * out[i] < out_orig[i] + 2^60 + 2^44 -+ */ -+static void felem_diff64(felem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^12 * p redundantly with each limb -+ * of the form 2^60 + ... -+ */ -+ -+ static const limb two60m52m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 52) -+ - (((limb) 1) << 4); -+ static const limb two60p44m12 = (((limb) 1) << 60) -+ + (((limb) 1) << 44) -+ - (((limb) 1) << 12); -+ static const limb two60m28m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 28) -+ - (((limb) 1) << 4); -+ static const limb two60m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 4); -+ -+ out[0] += two60p44m12 - in[0]; -+ out[1] += two60m52m4 - in[1]; -+ out[2] += two60m28m4 - in[2]; -+ out[3] += two60m4 - in[3]; -+ out[4] += two60m4 - in[4]; -+ out[5] += two60m4 - in[5]; -+ out[6] += two60m4 - in[6]; -+} -+ -+/* -+ * in[i] < 2^63 -+ * out[i] < out_orig[i] + 2^64 + 2^48 -+ */ -+static void felem_diff_128_64(widefelem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^16 * p redundantly with each limb -+ * of the form 2^64 + ... -+ */ -+ -+ static const widelimb two64m56m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 56) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64m32m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 32) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64p48m16 = (((widelimb) 1) << 64) -+ + (((widelimb) 1) << 48) -+ - (((widelimb) 1) << 16); -+ unsigned int i; -+ -+ out[0] += two64p48m16; -+ out[1] += two64m56m8; -+ out[2] += two64m32m8; -+ out[3] += two64m8; -+ out[4] += two64m8; -+ out[5] += two64m8; -+ out[6] += two64m8; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] -= in[i]; -+} -+ -+/* -+ * in[i] < 2^127 - 2^119 - 2^71 -+ * out[i] < out_orig[i] + 2^127 + 2^111 -+ */ -+static void felem_diff128(widefelem out, const widefelem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^415 * p redundantly with each limb -+ * of the form 2^127 + ... -+ */ -+ -+ static const widelimb two127 = ((widelimb) 1) << 127; -+ static const widelimb two127m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127p111m79m71 = (((widelimb) 1) << 127) -+ + (((widelimb) 1) << 111) -+ - (((widelimb) 1) << 79) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127m119m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 119) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127m95m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 95) -+ - (((widelimb) 1) << 71); -+ unsigned int i; -+ -+ out[0] += two127; -+ out[1] += two127m71; -+ out[2] += two127m71; -+ out[3] += two127m71; -+ out[4] += two127m71; -+ out[5] += two127m71; -+ out[6] += two127p111m79m71; -+ out[7] += two127m119m71; -+ out[8] += two127m95m71; -+ out[9] += two127m71; -+ out[10] += two127m71; -+ out[11] += two127m71; -+ out[12] += two127m71; -+ -+ for (i = 0; i < 2*NLIMBS-1; i++) -+ out[i] -= in[i]; -+} -+ -+static void felem_square_ref(widefelem out, const felem in) -+{ -+ felem inx2; -+ felem_scalar(inx2, in, 2); -+ -+ out[0] = ((uint128_t) in[0]) * in[0]; -+ -+ out[1] = ((uint128_t) in[0]) * inx2[1]; -+ -+ out[2] = ((uint128_t) in[0]) * inx2[2] -+ + ((uint128_t) in[1]) * in[1]; -+ -+ out[3] = ((uint128_t) in[0]) * inx2[3] -+ + ((uint128_t) in[1]) * inx2[2]; -+ -+ out[4] = ((uint128_t) in[0]) * inx2[4] -+ + ((uint128_t) in[1]) * inx2[3] -+ + ((uint128_t) in[2]) * in[2]; -+ -+ out[5] = ((uint128_t) in[0]) * inx2[5] -+ + ((uint128_t) in[1]) * inx2[4] -+ + ((uint128_t) in[2]) * inx2[3]; -+ -+ out[6] = ((uint128_t) in[0]) * inx2[6] -+ + ((uint128_t) in[1]) * inx2[5] -+ + ((uint128_t) in[2]) * inx2[4] -+ + ((uint128_t) in[3]) * in[3]; -+ -+ out[7] = ((uint128_t) in[1]) * inx2[6] -+ + ((uint128_t) in[2]) * inx2[5] -+ + ((uint128_t) in[3]) * inx2[4]; -+ -+ out[8] = ((uint128_t) in[2]) * inx2[6] -+ + ((uint128_t) in[3]) * inx2[5] -+ + ((uint128_t) in[4]) * in[4]; -+ -+ out[9] = ((uint128_t) in[3]) * inx2[6] -+ + ((uint128_t) in[4]) * inx2[5]; -+ -+ out[10] = ((uint128_t) in[4]) * inx2[6] -+ + ((uint128_t) in[5]) * in[5]; -+ -+ out[11] = ((uint128_t) in[5]) * inx2[6]; -+ -+ out[12] = ((uint128_t) in[6]) * in[6]; -+} -+ -+static void felem_mul_ref(widefelem out, const felem in1, const felem in2) -+{ -+ out[0] = ((uint128_t) in1[0]) * in2[0]; -+ -+ out[1] = ((uint128_t) in1[0]) * in2[1] -+ + ((uint128_t) in1[1]) * in2[0]; -+ -+ out[2] = ((uint128_t) in1[0]) * in2[2] -+ + ((uint128_t) in1[1]) * in2[1] -+ + ((uint128_t) in1[2]) * in2[0]; -+ -+ out[3] = ((uint128_t) in1[0]) * in2[3] -+ + ((uint128_t) in1[1]) * in2[2] -+ + ((uint128_t) in1[2]) * in2[1] -+ + ((uint128_t) in1[3]) * in2[0]; -+ -+ out[4] = ((uint128_t) in1[0]) * in2[4] -+ + ((uint128_t) in1[1]) * in2[3] -+ + ((uint128_t) in1[2]) * in2[2] -+ + ((uint128_t) in1[3]) * in2[1] -+ + ((uint128_t) in1[4]) * in2[0]; -+ -+ out[5] = ((uint128_t) in1[0]) * in2[5] -+ + ((uint128_t) in1[1]) * in2[4] -+ + ((uint128_t) in1[2]) * in2[3] -+ + ((uint128_t) in1[3]) * in2[2] -+ + ((uint128_t) in1[4]) * in2[1] -+ + ((uint128_t) in1[5]) * in2[0]; -+ -+ out[6] = ((uint128_t) in1[0]) * in2[6] -+ + ((uint128_t) in1[1]) * in2[5] -+ + ((uint128_t) in1[2]) * in2[4] -+ + ((uint128_t) in1[3]) * in2[3] -+ + ((uint128_t) in1[4]) * in2[2] -+ + ((uint128_t) in1[5]) * in2[1] -+ + ((uint128_t) in1[6]) * in2[0]; -+ -+ out[7] = ((uint128_t) in1[1]) * in2[6] -+ + ((uint128_t) in1[2]) * in2[5] -+ + ((uint128_t) in1[3]) * in2[4] -+ + ((uint128_t) in1[4]) * in2[3] -+ + ((uint128_t) in1[5]) * in2[2] -+ + ((uint128_t) in1[6]) * in2[1]; -+ -+ out[8] = ((uint128_t) in1[2]) * in2[6] -+ + ((uint128_t) in1[3]) * in2[5] -+ + ((uint128_t) in1[4]) * in2[4] -+ + ((uint128_t) in1[5]) * in2[3] -+ + ((uint128_t) in1[6]) * in2[2]; -+ -+ out[9] = ((uint128_t) in1[3]) * in2[6] -+ + ((uint128_t) in1[4]) * in2[5] -+ + ((uint128_t) in1[5]) * in2[4] -+ + ((uint128_t) in1[6]) * in2[3]; -+ -+ out[10] = ((uint128_t) in1[4]) * in2[6] -+ + ((uint128_t) in1[5]) * in2[5] -+ + ((uint128_t) in1[6]) * in2[4]; -+ -+ out[11] = ((uint128_t) in1[5]) * in2[6] -+ + ((uint128_t) in1[6]) * in2[5]; -+ -+ out[12] = ((uint128_t) in1[6]) * in2[6]; -+} -+ -+/*- -+ * Reduce thirteen 128-bit coefficients to seven 64-bit coefficients. -+ * in[i] < 2^128 - 2^125 -+ * out[i] < 2^56 for i < 6, -+ * out[6] <= 2^48 -+ * -+ * The technique in use here stems from the format of the prime modulus: -+ * P384 = 2^384 - delta -+ * -+ * Thus we can reduce numbers of the form (X + 2^384 * Y) by substituting -+ * them with (X + delta Y), with delta = 2^128 + 2^96 + (-2^32 + 1). These -+ * coefficients are still quite large, and so we repeatedly apply this -+ * technique on high-order bits in order to guarantee the desired bounds on -+ * the size of our output. -+ * -+ * The three phases of elimination are as follows: -+ * [1]: Y = 2^120 (in[12] | in[11] | in[10] | in[9]) -+ * [2]: Y = 2^8 (acc[8] | acc[7]) -+ * [3]: Y = 2^48 (acc[6] >> 48) -+ * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d) -+ */ -+static void felem_reduce(felem out, const widefelem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^76 * p redundantly with each limb -+ * of the form 2^124 + ... -+ */ -+ static const widelimb two124m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 68); -+ static const widelimb two124m116m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 116) -+ - (((widelimb) 1) << 68); -+ static const widelimb two124p108m76 = (((widelimb) 1) << 124) -+ + (((widelimb) 1) << 108) -+ - (((widelimb) 1) << 76); -+ static const widelimb two124m92m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 92) -+ - (((widelimb) 1) << 68); -+ widelimb temp, acc[9]; -+ unsigned int i; -+ -+ memcpy(acc, in, sizeof(widelimb) * 9); -+ -+ acc[0] += two124p108m76; -+ acc[1] += two124m116m68; -+ acc[2] += two124m92m68; -+ acc[3] += two124m68; -+ acc[4] += two124m68; -+ acc[5] += two124m68; -+ acc[6] += two124m68; -+ -+ /* [1]: Eliminate in[9], ..., in[12] */ -+ acc[8] += in[12] >> 32; -+ acc[7] += (in[12] & 0xffffffff) << 24; -+ acc[7] += in[12] >> 8; -+ acc[6] += (in[12] & 0xff) << 48; -+ acc[6] -= in[12] >> 16; -+ acc[5] -= ((in[12] & 0xffff) << 40); -+ acc[6] += in[12] >> 48; -+ acc[5] += (in[12] & 0xffffffffffff) << 8; -+ -+ acc[7] += in[11] >> 32; -+ acc[6] += (in[11] & 0xffffffff) << 24; -+ acc[6] += in[11] >> 8; -+ acc[5] += (in[11] & 0xff) << 48; -+ acc[5] -= in[11] >> 16; -+ acc[4] -= ((in[11] & 0xffff) << 40); -+ acc[5] += in[11] >> 48; -+ acc[4] += (in[11] & 0xffffffffffff) << 8; -+ -+ acc[6] += in[10] >> 32; -+ acc[5] += (in[10] & 0xffffffff) << 24; -+ acc[5] += in[10] >> 8; -+ acc[4] += (in[10] & 0xff) << 48; -+ acc[4] -= in[10] >> 16; -+ acc[3] -= ((in[10] & 0xffff) << 40); -+ acc[4] += in[10] >> 48; -+ acc[3] += (in[10] & 0xffffffffffff) << 8; -+ -+ acc[5] += in[9] >> 32; -+ acc[4] += (in[9] & 0xffffffff) << 24; -+ acc[4] += in[9] >> 8; -+ acc[3] += (in[9] & 0xff) << 48; -+ acc[3] -= in[9] >> 16; -+ acc[2] -= ((in[9] & 0xffff) << 40); -+ acc[3] += in[9] >> 48; -+ acc[2] += (in[9] & 0xffffffffffff) << 8; -+ -+ /* -+ * [2]: Eliminate acc[7], acc[8], that is the 7 and eighth limbs, as -+ * well as the contributions made from eliminating higher limbs. -+ * acc[7] < in[7] + 2^120 + 2^56 < in[7] + 2^121 -+ * acc[8] < in[8] + 2^96 -+ */ -+ acc[4] += acc[8] >> 32; -+ acc[3] += (acc[8] & 0xffffffff) << 24; -+ acc[3] += acc[8] >> 8; -+ acc[2] += (acc[8] & 0xff) << 48; -+ acc[2] -= acc[8] >> 16; -+ acc[1] -= ((acc[8] & 0xffff) << 40); -+ acc[2] += acc[8] >> 48; -+ acc[1] += (acc[8] & 0xffffffffffff) << 8; -+ -+ acc[3] += acc[7] >> 32; -+ acc[2] += (acc[7] & 0xffffffff) << 24; -+ acc[2] += acc[7] >> 8; -+ acc[1] += (acc[7] & 0xff) << 48; -+ acc[1] -= acc[7] >> 16; -+ acc[0] -= ((acc[7] & 0xffff) << 40); -+ acc[1] += acc[7] >> 48; -+ acc[0] += (acc[7] & 0xffffffffffff) << 8; -+ -+ /*- -+ * acc[k] < in[k] + 2^124 + 2^121 -+ * < in[k] + 2^125 -+ * < 2^128, for k <= 6 -+ */ -+ -+ /* -+ * Carry 4 -> 5 -> 6 -+ * This has the effect of ensuring that these more significant limbs -+ * will be small in value after eliminating high bits from acc[6]. -+ */ -+ acc[5] += acc[4] >> 56; -+ acc[4] &= 0x00ffffffffffffff; -+ -+ acc[6] += acc[5] >> 56; -+ acc[5] &= 0x00ffffffffffffff; -+ -+ /*- -+ * acc[6] < in[6] + 2^124 + 2^121 + 2^72 + 2^16 -+ * < in[6] + 2^125 -+ * < 2^128 -+ */ -+ -+ /* [3]: Eliminate high bits of acc[6] */ -+ temp = acc[6] >> 48; -+ acc[6] &= 0x0000ffffffffffff; -+ -+ /* temp < 2^80 */ -+ -+ acc[3] += temp >> 40; -+ acc[2] += (temp & 0xffffffffff) << 16; -+ acc[2] += temp >> 16; -+ acc[1] += (temp & 0xffff) << 40; -+ acc[1] -= temp >> 24; -+ acc[0] -= (temp & 0xffffff) << 32; -+ acc[0] += temp; -+ -+ /*- -+ * acc[k] < acc_old[k] + 2^64 + 2^56 -+ * < in[k] + 2^124 + 2^121 + 2^72 + 2^64 + 2^56 + 2^16 , k < 4 -+ */ -+ -+ /* Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */ -+ acc[0] &= 0x00ffffffffffffff; -+ -+ acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */ -+ acc[1] &= 0x00ffffffffffffff; -+ -+ acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */ -+ acc[2] &= 0x00ffffffffffffff; -+ -+ /*- -+ * acc[k] < acc_old[k] + 2^72 + 2^16 -+ * < in[k] + 2^124 + 2^121 + 2^73 + 2^64 + 2^56 + 2^17 -+ * < in[k] + 2^125 -+ * < 2^128 , k < 4 -+ */ -+ -+ acc[4] += acc[3] >> 56; /*- -+ * acc[4] < acc_old[4] + 2^72 + 2^16 -+ * < 2^72 + 2^56 + 2^16 -+ */ -+ acc[3] &= 0x00ffffffffffffff; -+ -+ acc[5] += acc[4] >> 56; /*- -+ * acc[5] < acc_old[5] + 2^16 + 1 -+ * < 2^56 + 2^16 + 1 -+ */ -+ acc[4] &= 0x00ffffffffffffff; -+ -+ acc[6] += acc[5] >> 56; /* acc[6] < 2^48 + 1 <= 2^48 */ -+ acc[5] &= 0x00ffffffffffffff; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] = acc[i]; -+} -+ -+#if defined(ECP_NISTP384_ASM) -+static void felem_square_wrapper(widefelem out, const felem in); -+static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2); -+ -+static void (*felem_square_p)(widefelem out, const felem in) = -+ felem_square_wrapper; -+static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) = -+ felem_mul_wrapper; -+ -+void p384_felem_square(widefelem out, const felem in); -+void p384_felem_mul(widefelem out, const felem in1, const felem in2); -+ -+# if defined(_ARCH_PPC64) -+# include "crypto/ppc_arch.h" -+# endif -+ -+static void felem_select(void) -+{ -+ /* Default */ -+ felem_square_p = felem_square_ref; -+ felem_mul_p = felem_mul_ref; -+} -+ -+static void felem_square_wrapper(widefelem out, const felem in) -+{ -+ felem_select(); -+ felem_square_p(out, in); -+} -+ -+static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2) -+{ -+ felem_select(); -+ felem_mul_p(out, in1, in2); -+} -+ -+# define felem_square felem_square_p -+# define felem_mul felem_mul_p -+#else -+# define felem_square felem_square_ref -+# define felem_mul felem_mul_ref -+#endif -+ -+static ossl_inline void felem_square_reduce(felem out, const felem in) -+{ -+ widefelem tmp; -+ -+ felem_square(tmp, in); -+ felem_reduce(out, tmp); -+} -+ -+static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2) -+{ -+ widefelem tmp; -+ -+ felem_mul(tmp, in1, in2); -+ felem_reduce(out, tmp); -+} -+ -+/*- -+ * felem_inv calculates |out| = |in|^{-1} -+ * -+ * Based on Fermat's Little Theorem: -+ * a^p = a (mod p) -+ * a^{p-1} = 1 (mod p) -+ * a^{p-2} = a^{-1} (mod p) -+ */ -+static void felem_inv(felem out, const felem in) -+{ -+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6; -+ unsigned int i = 0; -+ -+ felem_square_reduce(ftmp, in); /* 2^1 */ -+ felem_mul_reduce(ftmp, ftmp, in); /* 2^1 + 2^0 */ -+ felem_assign(ftmp2, ftmp); -+ -+ felem_square_reduce(ftmp, ftmp); /* 2^2 + 2^1 */ -+ felem_mul_reduce(ftmp, ftmp, in); /* 2^2 + 2^1 * 2^0 */ -+ felem_assign(ftmp3, ftmp); -+ -+ for (i = 0; i < 3; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^5 + 2^4 + 2^3 */ -+ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 6; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^11 + ... + 2^6 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^11 + ... + 2^0 */ -+ -+ for (i = 0; i < 3; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^14 + ... + 2^3 */ -+ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^14 + ... + 2^0 */ -+ felem_assign(ftmp5, ftmp); -+ -+ for (i = 0; i < 15; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^29 + ... + 2^15 */ -+ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^29 + ... + 2^0 */ -+ felem_assign(ftmp6, ftmp); -+ -+ for (i = 0; i < 30; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^59 + ... + 2^30 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^59 + ... + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 60; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^119 + ... + 2^60 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^119 + ... + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 120; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^239 + ... + 2^120 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^239 + ... + 2^0 */ -+ -+ for (i = 0; i < 15; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^254 + ... + 2^15 */ -+ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^254 + ... + 2^0 */ -+ -+ for (i = 0; i < 31; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^285 + ... + 2^31 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^285 + ... + 2^31 + 2^29 + ... + 2^0 */ -+ -+ for (i = 0; i < 2; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^2 */ -+ felem_mul_reduce(ftmp, ftmp2, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^0 */ -+ -+ for (i = 0; i < 94; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 + 2^29 + ... + 2^0 */ -+ -+ for (i = 0; i < 2; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 */ -+ felem_mul_reduce(ftmp, in, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 + 2^0 */ -+ -+ memcpy(out, ftmp, sizeof(felem)); -+} -+ -+/* -+ * Zero-check: returns a limb with all bits set if |in| == 0 (mod p) -+ * and 0 otherwise. We know that field elements are reduced to -+ * 0 < in < 2p, so we only need to check two cases: -+ * 0 and 2^384 - 2^128 - 2^96 + 2^32 - 1 -+ * in[k] < 2^56, k < 6 -+ * in[6] <= 2^48 -+ */ -+static limb felem_is_zero(const felem in) -+{ -+ limb zero, p384; -+ -+ zero = in[0] | in[1] | in[2] | in[3] | in[4] | in[5] | in[6]; -+ zero = ((int64_t) (zero) - 1) >> 63; -+ p384 = (in[0] ^ 0x000000ffffffff) | (in[1] ^ 0xffff0000000000) -+ | (in[2] ^ 0xfffffffffeffff) | (in[3] ^ 0xffffffffffffff) -+ | (in[4] ^ 0xffffffffffffff) | (in[5] ^ 0xffffffffffffff) -+ | (in[6] ^ 0xffffffffffff); -+ p384 = ((int64_t) (p384) - 1) >> 63; -+ -+ return (zero | p384); -+} -+ -+static int felem_is_zero_int(const void *in) -+{ -+ return (int)(felem_is_zero(in) & ((limb) 1)); -+} -+ -+/*- -+ * felem_contract converts |in| to its unique, minimal representation. -+ * Assume we've removed all redundant bits. -+ * On entry: -+ * in[k] < 2^56, k < 6 -+ * in[6] <= 2^48 -+ */ -+static void felem_contract(felem out, const felem in) -+{ -+ static const int64_t two56 = ((limb) 1) << 56; -+ -+ /* -+ * We know for a fact that 0 <= |in| < 2*p, for p = 2^384 - 2^128 - 2^96 + 2^32 - 1 -+ * Perform two successive, idempotent subtractions to reduce if |in| >= p. -+ */ -+ -+ int64_t tmp[NLIMBS], cond[5], a; -+ unsigned int i; -+ -+ memcpy(tmp, in, sizeof(felem)); -+ -+ /* Case 1: a = 1 iff |in| >= 2^384 */ -+ a = (in[6] >> 48); -+ tmp[0] += a; -+ tmp[0] -= a << 32; -+ tmp[1] += a << 40; -+ tmp[2] += a << 16; -+ tmp[6] &= 0x0000ffffffffffff; -+ -+ /* -+ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be -+ * non-zero, so we only need one step -+ */ -+ -+ a = tmp[0] >> 63; -+ tmp[0] += a & two56; -+ tmp[1] -= a & 1; -+ -+ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ tmp[2] += tmp[1] >> 56; -+ tmp[1] &= 0x00ffffffffffffff; -+ -+ tmp[3] += tmp[2] >> 56; -+ tmp[2] &= 0x00ffffffffffffff; -+ -+ tmp[4] += tmp[3] >> 56; -+ tmp[3] &= 0x00ffffffffffffff; -+ -+ tmp[5] += tmp[4] >> 56; -+ tmp[4] &= 0x00ffffffffffffff; -+ -+ tmp[6] += tmp[5] >> 56; /* tmp[6] < 2^48 */ -+ tmp[5] &= 0x00ffffffffffffff; -+ -+ /* -+ * Case 2: a = all ones if p <= |in| < 2^384, 0 otherwise -+ */ -+ -+ /* 0 iff (2^129..2^383) are all one */ -+ cond[0] = ((tmp[6] | 0xff000000000000) & tmp[5] & tmp[4] & tmp[3] & (tmp[2] | 0x0000000001ffff)) + 1; -+ /* 0 iff 2^128 bit is one */ -+ cond[1] = (tmp[2] | ~0x00000000010000) + 1; -+ /* 0 iff (2^96..2^127) bits are all one */ -+ cond[2] = ((tmp[2] | 0xffffffffff0000) & (tmp[1] | 0x0000ffffffffff)) + 1; -+ /* 0 iff (2^32..2^95) bits are all zero */ -+ cond[3] = (tmp[1] & ~0xffff0000000000) | (tmp[0] & ~((int64_t) 0x000000ffffffff)); -+ /* 0 iff (2^0..2^31) bits are all one */ -+ cond[4] = (tmp[0] | 0xffffff00000000) + 1; -+ -+ /* -+ * In effect, invert our conditions, so that 0 values become all 1's, -+ * any non-zero value in the low-order 56 bits becomes all 0's -+ */ -+ for (i = 0; i < 5; i++) -+ cond[i] = ((cond[i] & 0x00ffffffffffffff) - 1) >> 63; -+ -+ /* -+ * The condition for determining whether in is greater than our -+ * prime is given by the following condition. -+ */ -+ -+ /* First subtract 2^384 - 2^129 cheaply */ -+ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); -+ tmp[6] &= ~a; -+ tmp[5] &= ~a; -+ tmp[4] &= ~a; -+ tmp[3] &= ~a; -+ tmp[2] &= ~a | 0x0000000001ffff; -+ -+ /* -+ * Subtract 2^128 - 2^96 by -+ * means of disjoint cases. -+ */ -+ -+ /* subtract 2^128 if that bit is present, and add 2^96 */ -+ a = cond[0] & cond[1]; -+ tmp[2] &= ~a | 0xfffffffffeffff; -+ tmp[1] += a & ((int64_t) 1 << 40); -+ -+ /* otherwise, clear bits 2^127 .. 2^96 */ -+ a = cond[0] & ~cond[1] & (cond[2] & (~cond[3] | cond[4])); -+ tmp[2] &= ~a | 0xffffffffff0000; -+ tmp[1] &= ~a | 0x0000ffffffffff; -+ -+ /* finally, subtract the last 2^32 - 1 */ -+ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); -+ tmp[0] += a & (-((int64_t) 1 << 32) + 1); -+ -+ /* -+ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be -+ * non-zero, so we only need one step -+ */ -+ a = tmp[0] >> 63; -+ tmp[0] += a & two56; -+ tmp[1] -= a & 1; -+ -+ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ tmp[2] += tmp[1] >> 56; -+ tmp[1] &= 0x00ffffffffffffff; -+ -+ tmp[3] += tmp[2] >> 56; -+ tmp[2] &= 0x00ffffffffffffff; -+ -+ tmp[4] += tmp[3] >> 56; -+ tmp[3] &= 0x00ffffffffffffff; -+ -+ tmp[5] += tmp[4] >> 56; -+ tmp[4] &= 0x00ffffffffffffff; -+ -+ tmp[6] += tmp[5] >> 56; -+ tmp[5] &= 0x00ffffffffffffff; -+ -+ memcpy(out, tmp, sizeof(felem)); -+} -+ -+/*- -+ * Group operations -+ * ---------------- -+ * -+ * Building on top of the field operations we have the operations on the -+ * elliptic curve group itself. Points on the curve are represented in Jacobian -+ * coordinates -+ */ -+ -+/*- -+ * point_double calculates 2*(x_in, y_in, z_in) -+ * -+ * The method is taken from: -+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b -+ * -+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed. -+ * while x_out == y_in is not (maybe this works, but it's not tested). -+ */ -+static void -+point_double(felem x_out, felem y_out, felem z_out, -+ const felem x_in, const felem y_in, const felem z_in) -+{ -+ widefelem tmp, tmp2; -+ felem delta, gamma, beta, alpha, ftmp, ftmp2; -+ -+ felem_assign(ftmp, x_in); -+ felem_assign(ftmp2, x_in); -+ -+ /* delta = z^2 */ -+ felem_square_reduce(delta, z_in); /* delta[i] < 2^56 */ -+ -+ /* gamma = y^2 */ -+ felem_square_reduce(gamma, y_in); /* gamma[i] < 2^56 */ -+ -+ /* beta = x*gamma */ -+ felem_mul_reduce(beta, x_in, gamma); /* beta[i] < 2^56 */ -+ -+ /* alpha = 3*(x-delta)*(x+delta) */ -+ felem_diff64(ftmp, delta); /* ftmp[i] < 2^60 + 2^58 + 2^44 */ -+ felem_sum64(ftmp2, delta); /* ftmp2[i] < 2^59 */ -+ felem_scalar64(ftmp2, 3); /* ftmp2[i] < 2^61 */ -+ felem_mul_reduce(alpha, ftmp, ftmp2); /* alpha[i] < 2^56 */ -+ -+ /* x' = alpha^2 - 8*beta */ -+ felem_square(tmp, alpha); /* tmp[i] < 2^115 */ -+ felem_assign(ftmp, beta); /* ftmp[i] < 2^56 */ -+ felem_scalar64(ftmp, 8); /* ftmp[i] < 2^59 */ -+ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ -+ -+ /* z' = (y + z)^2 - gamma - delta */ -+ felem_sum64(delta, gamma); /* delta[i] < 2^57 */ -+ felem_assign(ftmp, y_in); /* ftmp[i] < 2^56 */ -+ felem_sum64(ftmp, z_in); /* ftmp[i] < 2^56 */ -+ felem_square(tmp, ftmp); /* tmp[i] < 2^115 */ -+ felem_diff_128_64(tmp, delta); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(z_out, tmp); /* z_out[i] < 2^56 */ -+ -+ /* y' = alpha*(4*beta - x') - 8*gamma^2 */ -+ felem_scalar64(beta, 4); /* beta[i] < 2^58 */ -+ felem_diff64(beta, x_out); /* beta[i] < 2^60 + 2^58 + 2^44 */ -+ felem_mul(tmp, alpha, beta); /* tmp[i] < 2^119 */ -+ felem_square(tmp2, gamma); /* tmp2[i] < 2^115 */ -+ felem_scalar128(tmp2, 8); /* tmp2[i] < 2^118 */ -+ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^119 + 2^111 */ -+ felem_reduce(y_out, tmp); /* tmp[i] < 2^56 */ -+} -+ -+/* copy_conditional copies in to out iff mask is all ones. */ -+static void copy_conditional(felem out, const felem in, limb mask) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] ^= mask & (in[i] ^ out[i]); -+} -+ -+/*- -+ * point_add calculates (x1, y1, z1) + (x2, y2, z2) -+ * -+ * The method is taken from -+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, -+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity). -+ * -+ * This function includes a branch for checking whether the two input points -+ * are equal (while not equal to the point at infinity). See comment below -+ * on constant-time. -+ */ -+static void point_add(felem x3, felem y3, felem z3, -+ const felem x1, const felem y1, const felem z1, -+ const int mixed, const felem x2, const felem y2, -+ const felem z2) -+{ -+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; -+ widefelem tmp, tmp2; -+ limb x_equal, y_equal, z1_is_zero, z2_is_zero; -+ limb points_equal; -+ -+ z1_is_zero = felem_is_zero(z1); -+ z2_is_zero = felem_is_zero(z2); -+ -+ /* ftmp = z1z1 = z1**2 */ -+ felem_square_reduce(ftmp, z1); /* ftmp[i] < 2^56 */ -+ -+ if (!mixed) { -+ /* ftmp2 = z2z2 = z2**2 */ -+ felem_square_reduce(ftmp2, z2); /* ftmp2[i] < 2^56 */ -+ -+ /* u1 = ftmp3 = x1*z2z2 */ -+ felem_mul_reduce(ftmp3, x1, ftmp2); /* ftmp3[i] < 2^56 */ -+ -+ /* ftmp5 = z1 + z2 */ -+ felem_assign(ftmp5, z1); /* ftmp5[i] < 2^56 */ -+ felem_sum64(ftmp5, z2); /* ftmp5[i] < 2^57 */ -+ -+ /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */ -+ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ -+ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^117 + 2^64 + 2^48 */ -+ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^65 + 2^49 */ -+ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ -+ -+ /* ftmp2 = z2 * z2z2 */ -+ felem_mul_reduce(ftmp2, ftmp2, z2); /* ftmp2[i] < 2^56 */ -+ -+ /* s1 = ftmp6 = y1 * z2**3 */ -+ felem_mul_reduce(ftmp6, y1, ftmp2); /* ftmp6[i] < 2^56 */ -+ } else { -+ /* -+ * We'll assume z2 = 1 (special case z2 = 0 is handled later) -+ */ -+ -+ /* u1 = ftmp3 = x1*z2z2 */ -+ felem_assign(ftmp3, x1); /* ftmp3[i] < 2^56 */ -+ -+ /* ftmp5 = 2*z1z2 */ -+ felem_scalar(ftmp5, z1, 2); /* ftmp5[i] < 2^57 */ -+ -+ /* s1 = ftmp6 = y1 * z2**3 */ -+ felem_assign(ftmp6, y1); /* ftmp6[i] < 2^56 */ -+ } -+ /* ftmp3[i] < 2^56, ftmp5[i] < 2^57, ftmp6[i] < 2^56 */ -+ -+ /* u2 = x2*z1z1 */ -+ felem_mul(tmp, x2, ftmp); /* tmp[i] < 2^115 */ -+ -+ /* h = ftmp4 = u2 - u1 */ -+ felem_diff_128_64(tmp, ftmp3); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(ftmp4, tmp); /* ftmp[4] < 2^56 */ -+ -+ x_equal = felem_is_zero(ftmp4); -+ -+ /* z_out = ftmp5 * h */ -+ felem_mul_reduce(z_out, ftmp5, ftmp4); /* z_out[i] < 2^56 */ -+ -+ /* ftmp = z1 * z1z1 */ -+ felem_mul_reduce(ftmp, ftmp, z1); /* ftmp[i] < 2^56 */ -+ -+ /* s2 = tmp = y2 * z1**3 */ -+ felem_mul(tmp, y2, ftmp); /* tmp[i] < 2^115 */ -+ -+ /* r = ftmp5 = (s2 - s1)*2 */ -+ felem_diff_128_64(tmp, ftmp6); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ -+ y_equal = felem_is_zero(ftmp5); -+ felem_scalar64(ftmp5, 2); /* ftmp5[i] < 2^57 */ -+ -+ /* -+ * The formulae are incorrect if the points are equal, in affine coordinates -+ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this -+ * happens. -+ * -+ * We use bitwise operations to avoid potential side-channels introduced by -+ * the short-circuiting behaviour of boolean operators. -+ * -+ * The special case of either point being the point at infinity (z1 and/or -+ * z2 are zero), is handled separately later on in this function, so we -+ * avoid jumping to point_double here in those special cases. -+ * -+ * Notice the comment below on the implications of this branching for timing -+ * leaks and why it is considered practically irrelevant. -+ */ -+ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); -+ -+ if (points_equal) { -+ /* -+ * This is obviously not constant-time but it will almost-never happen -+ * for ECDH / ECDSA. -+ */ -+ point_double(x3, y3, z3, x1, y1, z1); -+ return; -+ } -+ -+ /* I = ftmp = (2h)**2 */ -+ felem_assign(ftmp, ftmp4); /* ftmp[i] < 2^56 */ -+ felem_scalar64(ftmp, 2); /* ftmp[i] < 2^57 */ -+ felem_square_reduce(ftmp, ftmp); /* ftmp[i] < 2^56 */ -+ -+ /* J = ftmp2 = h * I */ -+ felem_mul_reduce(ftmp2, ftmp4, ftmp); /* ftmp2[i] < 2^56 */ -+ -+ /* V = ftmp4 = U1 * I */ -+ felem_mul_reduce(ftmp4, ftmp3, ftmp); /* ftmp4[i] < 2^56 */ -+ -+ /* x_out = r**2 - J - 2V */ -+ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ -+ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^64 + 2^48 */ -+ felem_assign(ftmp3, ftmp4); /* ftmp3[i] < 2^56 */ -+ felem_scalar64(ftmp4, 2); /* ftmp4[i] < 2^57 */ -+ felem_diff_128_64(tmp, ftmp4); /* tmp[i] < 2^117 + 2^65 + 2^49 */ -+ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ -+ -+ /* y_out = r(V-x_out) - 2 * s1 * J */ -+ felem_diff64(ftmp3, x_out); /* ftmp3[i] < 2^60 + 2^56 + 2^44 */ -+ felem_mul(tmp, ftmp5, ftmp3); /* tmp[i] < 2^116 */ -+ felem_mul(tmp2, ftmp6, ftmp2); /* tmp2[i] < 2^115 */ -+ felem_scalar128(tmp2, 2); /* tmp2[i] < 2^116 */ -+ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^116 + 2^111 */ -+ felem_reduce(y_out, tmp); /* y_out[i] < 2^56 */ -+ -+ copy_conditional(x_out, x2, z1_is_zero); -+ copy_conditional(x_out, x1, z2_is_zero); -+ copy_conditional(y_out, y2, z1_is_zero); -+ copy_conditional(y_out, y1, z2_is_zero); -+ copy_conditional(z_out, z2, z1_is_zero); -+ copy_conditional(z_out, z1, z2_is_zero); -+ felem_assign(x3, x_out); -+ felem_assign(y3, y_out); -+ felem_assign(z3, z_out); -+} -+ -+/*- -+ * Base point pre computation -+ * -------------------------- -+ * -+ * Two different sorts of precomputed tables are used in the following code. -+ * Each contain various points on the curve, where each point is three field -+ * elements (x, y, z). -+ * -+ * For the base point table, z is usually 1 (0 for the point at infinity). -+ * This table has 16 elements: -+ * index | bits | point -+ * ------+---------+------------------------------ -+ * 0 | 0 0 0 0 | 0G -+ * 1 | 0 0 0 1 | 1G -+ * 2 | 0 0 1 0 | 2^95G -+ * 3 | 0 0 1 1 | (2^95 + 1)G -+ * 4 | 0 1 0 0 | 2^190G -+ * 5 | 0 1 0 1 | (2^190 + 1)G -+ * 6 | 0 1 1 0 | (2^190 + 2^95)G -+ * 7 | 0 1 1 1 | (2^190 + 2^95 + 1)G -+ * 8 | 1 0 0 0 | 2^285G -+ * 9 | 1 0 0 1 | (2^285 + 1)G -+ * 10 | 1 0 1 0 | (2^285 + 2^95)G -+ * 11 | 1 0 1 1 | (2^285 + 2^95 + 1)G -+ * 12 | 1 1 0 0 | (2^285 + 2^190)G -+ * 13 | 1 1 0 1 | (2^285 + 2^190 + 1)G -+ * 14 | 1 1 1 0 | (2^285 + 2^190 + 2^95)G -+ * 15 | 1 1 1 1 | (2^285 + 2^190 + 2^95 + 1)G -+ * -+ * The reason for this is so that we can clock bits into four different -+ * locations when doing simple scalar multiplies against the base point. -+ * -+ * Tables for other points have table[i] = iG for i in 0 .. 16. -+ */ -+ -+/* gmul is the table of precomputed base points */ -+static const felem gmul[16][3] = { -+{{0, 0, 0, 0, 0, 0, 0}, -+ {0, 0, 0, 0, 0, 0, 0}, -+ {0, 0, 0, 0, 0, 0, 0}}, -+{{0x00545e3872760ab7, 0x00f25dbf55296c3a, 0x00e082542a385502, 0x008ba79b9859f741, -+ 0x0020ad746e1d3b62, 0x0005378eb1c71ef3, 0x0000aa87ca22be8b}, -+ {0x00431d7c90ea0e5f, 0x00b1ce1d7e819d7a, 0x0013b5f0b8c00a60, 0x00289a147ce9da31, -+ 0x0092dc29f8f41dbd, 0x002c6f5d9e98bf92, 0x00003617de4a9626}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00024711cc902a90, 0x00acb2e579ab4fe1, 0x00af818a4b4d57b1, 0x00a17c7bec49c3de, -+ 0x004280482d726a8b, 0x00128dd0f0a90f3b, 0x00004387c1c3fa3c}, -+ {0x002ce76543cf5c3a, 0x00de6cee5ef58f0a, 0x00403e42fa561ca6, 0x00bc54d6f9cb9731, -+ 0x007155f925fb4ff1, 0x004a9ce731b7b9bc, 0x00002609076bd7b2}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00e74c9182f0251d, 0x0039bf54bb111974, 0x00b9d2f2eec511d2, 0x0036b1594eb3a6a4, -+ 0x00ac3bb82d9d564b, 0x00f9313f4615a100, 0x00006716a9a91b10}, -+ {0x0046698116e2f15c, 0x00f34347067d3d33, 0x008de4ccfdebd002, 0x00e838c6b8e8c97b, -+ 0x006faf0798def346, 0x007349794a57563c, 0x00002629e7e6ad84}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x0075300e34fd163b, 0x0092e9db4e8d0ad3, 0x00254be9f625f760, 0x00512c518c72ae68, -+ 0x009bfcf162bede5a, 0x00bf9341566ce311, 0x0000cd6175bd41cf}, -+ {0x007dfe52af4ac70f, 0x0002159d2d5c4880, 0x00b504d16f0af8d0, 0x0014585e11f5e64c, -+ 0x0089c6388e030967, 0x00ffb270cbfa5f71, 0x00009a15d92c3947}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x0033fc1278dc4fe5, 0x00d53088c2caa043, 0x0085558827e2db66, 0x00c192bef387b736, -+ 0x00df6405a2225f2c, 0x0075205aa90fd91a, 0x0000137e3f12349d}, -+ {0x00ce5b115efcb07e, 0x00abc3308410deeb, 0x005dc6fc1de39904, 0x00907c1c496f36b4, -+ 0x0008e6ad3926cbe1, 0x00110747b787928c, 0x0000021b9162eb7e}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x008180042cfa26e1, 0x007b826a96254967, 0x0082473694d6b194, 0x007bd6880a45b589, -+ 0x00c0a5097072d1a3, 0x0019186555e18b4e, 0x000020278190e5ca}, -+ {0x00b4bef17de61ac0, 0x009535e3c38ed348, 0x002d4aa8e468ceab, 0x00ef40b431036ad3, -+ 0x00defd52f4542857, 0x0086edbf98234266, 0x00002025b3a7814d}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00b238aa97b886be, 0x00ef3192d6dd3a32, 0x0079f9e01fd62df8, 0x00742e890daba6c5, -+ 0x008e5289144408ce, 0x0073bbcc8e0171a5, 0x0000c4fd329d3b52}, -+ {0x00c6f64a15ee23e7, 0x00dcfb7b171cad8b, 0x00039f6cbd805867, 0x00de024e428d4562, -+ 0x00be6a594d7c64c5, 0x0078467b70dbcd64, 0x0000251f2ed7079b}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x000e5cc25fc4b872, 0x005ebf10d31ef4e1, 0x0061e0ebd11e8256, 0x0076e026096f5a27, -+ 0x0013e6fc44662e9a, 0x0042b00289d3597e, 0x000024f089170d88}, -+ {0x001604d7e0effbe6, 0x0048d77cba64ec2c, 0x008166b16da19e36, 0x006b0d1a0f28c088, -+ 0x000259fcd47754fd, 0x00cc643e4d725f9a, 0x00007b10f3c79c14}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00430155e3b908af, 0x00b801e4fec25226, 0x00b0d4bcfe806d26, 0x009fc4014eb13d37, -+ 0x0066c94e44ec07e8, 0x00d16adc03874ba2, 0x000030c917a0d2a7}, -+ {0x00edac9e21eb891c, 0x00ef0fb768102eff, 0x00c088cef272a5f3, 0x00cbf782134e2964, -+ 0x0001044a7ba9a0e3, 0x00e363f5b194cf3c, 0x00009ce85249e372}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x001dd492dda5a7eb, 0x008fd577be539fd1, 0x002ff4b25a5fc3f1, 0x0074a8a1b64df72f, -+ 0x002ba3d8c204a76c, 0x009d5cff95c8235a, 0x0000e014b9406e0f}, -+ {0x008c2e4dbfc98aba, 0x00f30bb89f1a1436, 0x00b46f7aea3e259c, 0x009224454ac02f54, -+ 0x00906401f5645fa2, 0x003a1d1940eabc77, 0x00007c9351d680e6}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x005a35d872ef967c, 0x0049f1b7884e1987, 0x0059d46d7e31f552, 0x00ceb4869d2d0fb6, -+ 0x00e8e89eee56802a, 0x0049d806a774aaf2, 0x0000147e2af0ae24}, -+ {0x005fd1bd852c6e5e, 0x00b674b7b3de6885, 0x003b9ea5eb9b6c08, 0x005c9f03babf3ef7, -+ 0x00605337fecab3c7, 0x009a3f85b11bbcc8, 0x0000455470f330ec}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x002197ff4d55498d, 0x00383e8916c2d8af, 0x00eb203f34d1c6d2, 0x0080367cbd11b542, -+ 0x00769b3be864e4f5, 0x0081a8458521c7bb, 0x0000c531b34d3539}, -+ {0x00e2a3d775fa2e13, 0x00534fc379573844, 0x00ff237d2a8db54a, 0x00d301b2335a8882, -+ 0x000f75ea96103a80, 0x0018fecb3cdd96fa, 0x0000304bf61e94eb}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00b2afc332a73dbd, 0x0029a0d5bb007bc5, 0x002d628eb210f577, 0x009f59a36dd05f50, -+ 0x006d339de4eca613, 0x00c75a71addc86bc, 0x000060384c5ea93c}, -+ {0x00aa9641c32a30b4, 0x00cc73ae8cce565d, 0x00ec911a4df07f61, 0x00aa4b762ea4b264, -+ 0x0096d395bb393629, 0x004efacfb7632fe0, 0x00006f252f46fa3f}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00567eec597c7af6, 0x0059ba6795204413, 0x00816d4e6f01196f, 0x004ae6b3eb57951d, -+ 0x00420f5abdda2108, 0x003401d1f57ca9d9, 0x0000cf5837b0b67a}, -+ {0x00eaa64b8aeeabf9, 0x00246ddf16bcb4de, 0x000e7e3c3aecd751, 0x0008449f04fed72e, -+ 0x00307b67ccf09183, 0x0017108c3556b7b1, 0x0000229b2483b3bf}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00e7c491a7bb78a1, 0x00eafddd1d3049ab, 0x00352c05e2bc7c98, 0x003d6880c165fa5c, -+ 0x00b6ac61cc11c97d, 0x00beeb54fcf90ce5, 0x0000dc1f0b455edc}, -+ {0x002db2e7aee34d60, 0x0073b5f415a2d8c0, 0x00dd84e4193e9a0c, 0x00d02d873467c572, -+ 0x0018baaeda60aee5, 0x0013fb11d697c61e, 0x000083aafcc3a973}, -+ {1, 0, 0, 0, 0, 0, 0}} -+}; -+ -+/* -+ * select_point selects the |idx|th point from a precomputation table and -+ * copies it to out. -+ * -+ * pre_comp below is of the size provided in |size|. -+ */ -+static void select_point(const limb idx, unsigned int size, -+ const felem pre_comp[][3], felem out[3]) -+{ -+ unsigned int i, j; -+ limb *outlimbs = &out[0][0]; -+ -+ memset(out, 0, sizeof(*out) * 3); -+ -+ for (i = 0; i < size; i++) { -+ const limb *inlimbs = &pre_comp[i][0][0]; -+ limb mask = i ^ idx; -+ -+ mask |= mask >> 4; -+ mask |= mask >> 2; -+ mask |= mask >> 1; -+ mask &= 1; -+ mask--; -+ for (j = 0; j < NLIMBS * 3; j++) -+ outlimbs[j] |= inlimbs[j] & mask; -+ } -+} -+ -+/* get_bit returns the |i|th bit in |in| */ -+static char get_bit(const felem_bytearray in, int i) -+{ -+ if (i < 0 || i >= 384) -+ return 0; -+ return (in[i >> 3] >> (i & 7)) & 1; -+} -+ -+/* -+ * Interleaved point multiplication using precomputed point multiples: The -+ * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars -+ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the -+ * generator, using certain (large) precomputed multiples in g_pre_comp. -+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out -+ */ -+static void batch_mul(felem x_out, felem y_out, felem z_out, -+ const felem_bytearray scalars[], -+ const unsigned int num_points, const u8 *g_scalar, -+ const int mixed, const felem pre_comp[][17][3], -+ const felem g_pre_comp[16][3]) -+{ -+ int i, skip; -+ unsigned int num, gen_mul = (g_scalar != NULL); -+ felem nq[3], tmp[4]; -+ limb bits; -+ u8 sign, digit; -+ -+ /* set nq to the point at infinity */ -+ memset(nq, 0, sizeof(nq)); -+ -+ /* -+ * Loop over all scalars msb-to-lsb, interleaving additions of multiples -+ * of the generator (last quarter of rounds) and additions of other -+ * points multiples (every 5th round). -+ */ -+ skip = 1; /* save two point operations in the first -+ * round */ -+ for (i = (num_points ? 380 : 98); i >= 0; --i) { -+ /* double */ -+ if (!skip) -+ point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); -+ -+ /* add multiples of the generator */ -+ if (gen_mul && (i <= 98)) { -+ bits = get_bit(g_scalar, i + 285) << 3; -+ if (i < 95) { -+ bits |= get_bit(g_scalar, i + 190) << 2; -+ bits |= get_bit(g_scalar, i + 95) << 1; -+ bits |= get_bit(g_scalar, i); -+ } -+ /* select the point to add, in constant time */ -+ select_point(bits, 16, g_pre_comp, tmp); -+ if (!skip) { -+ /* The 1 argument below is for "mixed" */ -+ point_add(nq[0], nq[1], nq[2], -+ nq[0], nq[1], nq[2], 1, -+ tmp[0], tmp[1], tmp[2]); -+ } else { -+ memcpy(nq, tmp, 3 * sizeof(felem)); -+ skip = 0; -+ } -+ } -+ -+ /* do other additions every 5 doublings */ -+ if (num_points && (i % 5 == 0)) { -+ /* loop over all scalars */ -+ for (num = 0; num < num_points; ++num) { -+ bits = get_bit(scalars[num], i + 4) << 5; -+ bits |= get_bit(scalars[num], i + 3) << 4; -+ bits |= get_bit(scalars[num], i + 2) << 3; -+ bits |= get_bit(scalars[num], i + 1) << 2; -+ bits |= get_bit(scalars[num], i) << 1; -+ bits |= get_bit(scalars[num], i - 1); -+ ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); -+ -+ /* -+ * select the point to add or subtract, in constant time -+ */ -+ select_point(digit, 17, pre_comp[num], tmp); -+ felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative -+ * point */ -+ copy_conditional(tmp[1], tmp[3], (-(limb) sign)); -+ -+ if (!skip) { -+ point_add(nq[0], nq[1], nq[2], -+ nq[0], nq[1], nq[2], mixed, -+ tmp[0], tmp[1], tmp[2]); -+ } else { -+ memcpy(nq, tmp, 3 * sizeof(felem)); -+ skip = 0; -+ } -+ } -+ } -+ } -+ felem_assign(x_out, nq[0]); -+ felem_assign(y_out, nq[1]); -+ felem_assign(z_out, nq[2]); -+} -+ -+/* Precomputation for the group generator. */ -+struct nistp384_pre_comp_st { -+ felem g_pre_comp[16][3]; -+ CRYPTO_REF_COUNT refcnt; -+ CRYPTO_RWLOCK *refcnt_lock; -+}; -+ -+const EC_METHOD *ossl_ec_GFp_nistp384_method(void) -+{ -+ static const EC_METHOD ret = { -+ EC_FLAGS_DEFAULT_OCT, -+ NID_X9_62_prime_field, -+ ossl_ec_GFp_nistp384_group_init, -+ ossl_ec_GFp_simple_group_finish, -+ ossl_ec_GFp_simple_group_clear_finish, -+ ossl_ec_GFp_nist_group_copy, -+ ossl_ec_GFp_nistp384_group_set_curve, -+ ossl_ec_GFp_simple_group_get_curve, -+ ossl_ec_GFp_simple_group_get_degree, -+ ossl_ec_group_simple_order_bits, -+ ossl_ec_GFp_simple_group_check_discriminant, -+ ossl_ec_GFp_simple_point_init, -+ ossl_ec_GFp_simple_point_finish, -+ ossl_ec_GFp_simple_point_clear_finish, -+ ossl_ec_GFp_simple_point_copy, -+ ossl_ec_GFp_simple_point_set_to_infinity, -+ ossl_ec_GFp_simple_point_set_affine_coordinates, -+ ossl_ec_GFp_nistp384_point_get_affine_coordinates, -+ 0, /* point_set_compressed_coordinates */ -+ 0, /* point2oct */ -+ 0, /* oct2point */ -+ ossl_ec_GFp_simple_add, -+ ossl_ec_GFp_simple_dbl, -+ ossl_ec_GFp_simple_invert, -+ ossl_ec_GFp_simple_is_at_infinity, -+ ossl_ec_GFp_simple_is_on_curve, -+ ossl_ec_GFp_simple_cmp, -+ ossl_ec_GFp_simple_make_affine, -+ ossl_ec_GFp_simple_points_make_affine, -+ ossl_ec_GFp_nistp384_points_mul, -+ ossl_ec_GFp_nistp384_precompute_mult, -+ ossl_ec_GFp_nistp384_have_precompute_mult, -+ ossl_ec_GFp_nist_field_mul, -+ ossl_ec_GFp_nist_field_sqr, -+ 0, /* field_div */ -+ ossl_ec_GFp_simple_field_inv, -+ 0, /* field_encode */ -+ 0, /* field_decode */ -+ 0, /* field_set_to_one */ -+ ossl_ec_key_simple_priv2oct, -+ ossl_ec_key_simple_oct2priv, -+ 0, /* set private */ -+ ossl_ec_key_simple_generate_key, -+ ossl_ec_key_simple_check_key, -+ ossl_ec_key_simple_generate_public_key, -+ 0, /* keycopy */ -+ 0, /* keyfinish */ -+ ossl_ecdh_simple_compute_key, -+ ossl_ecdsa_simple_sign_setup, -+ ossl_ecdsa_simple_sign_sig, -+ ossl_ecdsa_simple_verify_sig, -+ 0, /* field_inverse_mod_ord */ -+ 0, /* blind_coordinates */ -+ 0, /* ladder_pre */ -+ 0, /* ladder_step */ -+ 0 /* ladder_post */ -+ }; -+ -+ return &ret; -+} -+ -+/******************************************************************************/ -+/* -+ * FUNCTIONS TO MANAGE PRECOMPUTATION -+ */ -+ -+static NISTP384_PRE_COMP *nistp384_pre_comp_new(void) -+{ -+ NISTP384_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); -+ -+ if (ret == NULL || (ret->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL) { -+ OPENSSL_free(ret); -+ return NULL; -+ } -+ -+ ret->refcnt = 1; -+ return ret; -+} -+ -+NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *p) -+{ -+ int i; -+ -+ if (p != NULL) -+ CRYPTO_UP_REF(&p->refcnt, &i, p->refcnt_lock); -+ return p; -+} -+ -+void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *p) -+{ -+ int i; -+ -+ if (p == NULL) -+ return; -+ -+ CRYPTO_DOWN_REF(&p->refcnt, &i, p->refcnt_lock); -+ REF_PRINT_COUNT("ossl_ec_nistp384", p); -+ if (i > 0) -+ return; -+ REF_ASSERT_ISNT(i < 0); -+ -+ CRYPTO_THREAD_lock_free(p->refcnt_lock); -+ OPENSSL_free(p); -+} -+ -+/******************************************************************************/ -+/* -+ * OPENSSL EC_METHOD FUNCTIONS -+ */ -+ -+int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group) -+{ -+ int ret; -+ -+ ret = ossl_ec_GFp_simple_group_init(group); -+ group->a_is_minus3 = 1; -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, -+ const BIGNUM *a, const BIGNUM *b, -+ BN_CTX *ctx) -+{ -+ int ret = 0; -+ BIGNUM *curve_p, *curve_a, *curve_b; -+#ifndef FIPS_MODULE -+ BN_CTX *new_ctx = NULL; -+ -+ if (ctx == NULL) -+ ctx = new_ctx = BN_CTX_new(); -+#endif -+ if (ctx == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ curve_p = BN_CTX_get(ctx); -+ curve_a = BN_CTX_get(ctx); -+ curve_b = BN_CTX_get(ctx); -+ if (curve_b == NULL) -+ goto err; -+ BN_bin2bn(nistp384_curve_params[0], sizeof(felem_bytearray), curve_p); -+ BN_bin2bn(nistp384_curve_params[1], sizeof(felem_bytearray), curve_a); -+ BN_bin2bn(nistp384_curve_params[2], sizeof(felem_bytearray), curve_b); -+ if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) { -+ ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS); -+ goto err; -+ } -+ group->field_mod_func = BN_nist_mod_384; -+ ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); -+ err: -+ BN_CTX_end(ctx); -+#ifndef FIPS_MODULE -+ BN_CTX_free(new_ctx); -+#endif -+ return ret; -+} -+ -+/* -+ * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = -+ * (X/Z^2, Y/Z^3) -+ */ -+int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, -+ const EC_POINT *point, -+ BIGNUM *x, BIGNUM *y, -+ BN_CTX *ctx) -+{ -+ felem z1, z2, x_in, y_in, x_out, y_out; -+ widefelem tmp; -+ -+ if (EC_POINT_is_at_infinity(group, point)) { -+ ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); -+ return 0; -+ } -+ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || -+ (!BN_to_felem(z1, point->Z))) -+ return 0; -+ felem_inv(z2, z1); -+ felem_square(tmp, z2); -+ felem_reduce(z1, tmp); -+ felem_mul(tmp, x_in, z1); -+ felem_reduce(x_in, tmp); -+ felem_contract(x_out, x_in); -+ if (x != NULL) { -+ if (!felem_to_BN(x, x_out)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ return 0; -+ } -+ } -+ felem_mul(tmp, z1, z2); -+ felem_reduce(z1, tmp); -+ felem_mul(tmp, y_in, z1); -+ felem_reduce(y_in, tmp); -+ felem_contract(y_out, y_in); -+ if (y != NULL) { -+ if (!felem_to_BN(y, y_out)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+/* points below is of size |num|, and tmp_felems is of size |num+1/ */ -+static void make_points_affine(size_t num, felem points[][3], -+ felem tmp_felems[]) -+{ -+ /* -+ * Runs in constant time, unless an input is the point at infinity (which -+ * normally shouldn't happen). -+ */ -+ ossl_ec_GFp_nistp_points_make_affine_internal(num, -+ points, -+ sizeof(felem), -+ tmp_felems, -+ (void (*)(void *))felem_one, -+ felem_is_zero_int, -+ (void (*)(void *, const void *)) -+ felem_assign, -+ (void (*)(void *, const void *)) -+ felem_square_reduce, -+ (void (*)(void *, const void *, const void*)) -+ felem_mul_reduce, -+ (void (*)(void *, const void *)) -+ felem_inv, -+ (void (*)(void *, const void *)) -+ felem_contract); -+} -+ -+/* -+ * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL -+ * values Result is stored in r (r can equal one of the inputs). -+ */ -+int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], -+ const BIGNUM *scalars[], BN_CTX *ctx) -+{ -+ int ret = 0; -+ int j; -+ int mixed = 0; -+ BIGNUM *x, *y, *z, *tmp_scalar; -+ felem_bytearray g_secret; -+ felem_bytearray *secrets = NULL; -+ felem (*pre_comp)[17][3] = NULL; -+ felem *tmp_felems = NULL; -+ unsigned int i; -+ int num_bytes; -+ int have_pre_comp = 0; -+ size_t num_points = num; -+ felem x_in, y_in, z_in, x_out, y_out, z_out; -+ NISTP384_PRE_COMP *pre = NULL; -+ felem(*g_pre_comp)[3] = NULL; -+ EC_POINT *generator = NULL; -+ const EC_POINT *p = NULL; -+ const BIGNUM *p_scalar = NULL; -+ -+ BN_CTX_start(ctx); -+ x = BN_CTX_get(ctx); -+ y = BN_CTX_get(ctx); -+ z = BN_CTX_get(ctx); -+ tmp_scalar = BN_CTX_get(ctx); -+ if (tmp_scalar == NULL) -+ goto err; -+ -+ if (scalar != NULL) { -+ pre = group->pre_comp.nistp384; -+ if (pre) -+ /* we have precomputation, try to use it */ -+ g_pre_comp = &pre->g_pre_comp[0]; -+ else -+ /* try to use the standard precomputation */ -+ g_pre_comp = (felem(*)[3]) gmul; -+ generator = EC_POINT_new(group); -+ if (generator == NULL) -+ goto err; -+ /* get the generator from precomputation */ -+ if (!felem_to_BN(x, g_pre_comp[1][0]) || -+ !felem_to_BN(y, g_pre_comp[1][1]) || -+ !felem_to_BN(z, g_pre_comp[1][2])) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, -+ generator, -+ x, y, z, ctx)) -+ goto err; -+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) -+ /* precomputation matches generator */ -+ have_pre_comp = 1; -+ else -+ /* -+ * we don't have valid precomputation: treat the generator as a -+ * random point -+ */ -+ num_points++; -+ } -+ -+ if (num_points > 0) { -+ if (num_points >= 2) { -+ /* -+ * unless we precompute multiples for just one point, converting -+ * those into affine form is time well spent -+ */ -+ mixed = 1; -+ } -+ secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); -+ pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); -+ if (mixed) -+ tmp_felems = -+ OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1)); -+ if ((secrets == NULL) || (pre_comp == NULL) -+ || (mixed && (tmp_felems == NULL))) -+ goto err; -+ -+ /* -+ * we treat NULL scalars as 0, and NULL points as points at infinity, -+ * i.e., they contribute nothing to the linear combination -+ */ -+ for (i = 0; i < num_points; ++i) { -+ if (i == num) { -+ /* -+ * we didn't have a valid precomputation, so we pick the -+ * generator -+ */ -+ p = EC_GROUP_get0_generator(group); -+ p_scalar = scalar; -+ } else { -+ /* the i^th point */ -+ p = points[i]; -+ p_scalar = scalars[i]; -+ } -+ if (p_scalar != NULL && p != NULL) { -+ /* reduce scalar to 0 <= scalar < 2^384 */ -+ if ((BN_num_bits(p_scalar) > 384) -+ || (BN_is_negative(p_scalar))) { -+ /* -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ num_bytes = BN_bn2lebinpad(tmp_scalar, -+ secrets[i], sizeof(secrets[i])); -+ } else { -+ num_bytes = BN_bn2lebinpad(p_scalar, -+ secrets[i], sizeof(secrets[i])); -+ } -+ if (num_bytes < 0) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ /* precompute multiples */ -+ if ((!BN_to_felem(x_out, p->X)) || -+ (!BN_to_felem(y_out, p->Y)) || -+ (!BN_to_felem(z_out, p->Z))) -+ goto err; -+ memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); -+ memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); -+ memcpy(pre_comp[i][1][2], z_out, sizeof(felem)); -+ for (j = 2; j <= 16; ++j) { -+ if (j & 1) { -+ point_add(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], -+ pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 0, -+ pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]); -+ } else { -+ point_double(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], -+ pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]); -+ } -+ } -+ } -+ } -+ if (mixed) -+ make_points_affine(num_points * 17, pre_comp[0], tmp_felems); -+ } -+ -+ /* the scalar for the generator */ -+ if (scalar != NULL && have_pre_comp) { -+ memset(g_secret, 0, sizeof(g_secret)); -+ /* reduce scalar to 0 <= scalar < 2^384 */ -+ if ((BN_num_bits(scalar) > 384) || (BN_is_negative(scalar))) { -+ /* -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); -+ } else { -+ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); -+ } -+ /* do the multiplication with generator precomputation */ -+ batch_mul(x_out, y_out, z_out, -+ (const felem_bytearray(*))secrets, num_points, -+ g_secret, -+ mixed, (const felem(*)[17][3])pre_comp, -+ (const felem(*)[3])g_pre_comp); -+ } else { -+ /* do the multiplication without generator precomputation */ -+ batch_mul(x_out, y_out, z_out, -+ (const felem_bytearray(*))secrets, num_points, -+ NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); -+ } -+ /* reduce the output to its unique minimal representation */ -+ felem_contract(x_in, x_out); -+ felem_contract(y_in, y_out); -+ felem_contract(z_in, z_out); -+ if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || -+ (!felem_to_BN(z, z_in))) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, -+ ctx); -+ -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(generator); -+ OPENSSL_free(secrets); -+ OPENSSL_free(pre_comp); -+ OPENSSL_free(tmp_felems); -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx) -+{ -+ int ret = 0; -+ NISTP384_PRE_COMP *pre = NULL; -+ int i, j; -+ BIGNUM *x, *y; -+ EC_POINT *generator = NULL; -+ felem tmp_felems[16]; -+#ifndef FIPS_MODULE -+ BN_CTX *new_ctx = NULL; -+#endif -+ -+ /* throw away old precomputation */ -+ EC_pre_comp_free(group); -+ -+#ifndef FIPS_MODULE -+ if (ctx == NULL) -+ ctx = new_ctx = BN_CTX_new(); -+#endif -+ if (ctx == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ x = BN_CTX_get(ctx); -+ y = BN_CTX_get(ctx); -+ if (y == NULL) -+ goto err; -+ /* get the generator */ -+ if (group->generator == NULL) -+ goto err; -+ generator = EC_POINT_new(group); -+ if (generator == NULL) -+ goto err; -+ BN_bin2bn(nistp384_curve_params[3], sizeof(felem_bytearray), x); -+ BN_bin2bn(nistp384_curve_params[4], sizeof(felem_bytearray), y); -+ if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) -+ goto err; -+ if ((pre = nistp384_pre_comp_new()) == NULL) -+ goto err; -+ /* -+ * if the generator is the standard one, use built-in precomputation -+ */ -+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) { -+ memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); -+ goto done; -+ } -+ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) || -+ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) || -+ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z))) -+ goto err; -+ /* compute 2^95*G, 2^190*G, 2^285*G */ -+ for (i = 1; i <= 4; i <<= 1) { -+ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], -+ pre->g_pre_comp[i][0], pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]); -+ for (j = 0; j < 94; ++j) { -+ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], -+ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2]); -+ } -+ } -+ /* g_pre_comp[0] is the point at infinity */ -+ memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0])); -+ /* the remaining multiples */ -+ /* 2^95*G + 2^190*G */ -+ point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1], pre->g_pre_comp[6][2], -+ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ /* 2^95*G + 2^285*G */ -+ point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1], pre->g_pre_comp[10][2], -+ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ /* 2^190*G + 2^285*G */ -+ point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], -+ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, -+ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2]); -+ /* 2^95*G + 2^190*G + 2^285*G */ -+ point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1], pre->g_pre_comp[14][2], -+ pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ for (i = 1; i < 8; ++i) { -+ /* odd multiples: add G */ -+ point_add(pre->g_pre_comp[2 * i + 1][0], pre->g_pre_comp[2 * i + 1][1], pre->g_pre_comp[2 * i + 1][2], -+ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], 0, -+ pre->g_pre_comp[1][0], pre->g_pre_comp[1][1], pre->g_pre_comp[1][2]); -+ } -+ make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems); -+ -+ done: -+ SETPRECOMP(group, nistp384, pre); -+ ret = 1; -+ pre = NULL; -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(generator); -+#ifndef FIPS_MODULE -+ BN_CTX_free(new_ctx); -+#endif -+ ossl_ec_nistp384_pre_comp_free(pre); -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group) -+{ -+ return HAVEPRECOMP(group, nistp384); -+} diff --git a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch deleted file mode 100644 index 90f12cd..0000000 --- a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Fri, 23 Jun 2023 16:41:48 +1000 -Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul} - wrappers - -Runtime selection of implementations for felem_{square,mul} depends on -felem_{square,mul}_wrapper functions, which overwrite function points in -a similar design to that of .plt.got sections used by program loaders -during dynamic linking. - -There's no reason why these functions need to have external linkage. -Mark static. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/ecp_nistp521.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c -index 97815cac1f13..32a9268ecf17 100644 ---- a/crypto/ec/ecp_nistp521.c -+++ b/crypto/ec/ecp_nistp521.c -@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in) - } - - #if defined(ECP_NISTP521_ASM) --void felem_square_wrapper(largefelem out, const felem in); --void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); -+static void felem_square_wrapper(largefelem out, const felem in); -+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); - - static void (*felem_square_p)(largefelem out, const felem in) = - felem_square_wrapper; -@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2); - # include "crypto/ppc_arch.h" - # endif - --void felem_select(void) -+static void felem_select(void) - { - # if defined(_ARCH_PPC64) - if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { -@@ -707,13 +707,13 @@ void felem_select(void) - felem_mul_p = felem_mul_ref; - } - --void felem_square_wrapper(largefelem out, const felem in) -+static void felem_square_wrapper(largefelem out, const felem in) - { - felem_select(); - felem_square_p(out, in); - } - --void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) -+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) - { - felem_select(); - felem_mul_p(out, in1, in2); diff --git a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch deleted file mode 100644 index 91bb470..0000000 --- a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch +++ /dev/null @@ -1,428 +0,0 @@ -From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 31 May 2023 14:32:26 +1000 -Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul} - -Add an assembly implementation of felem_{square,mul}, which will be -implemented whenever Altivec support is present and the core implements -ISA 3.0 (Power 9) or greater. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++ - crypto/ec/build.info | 6 +- - crypto/ec/ecp_nistp384.c | 9 + - 3 files changed, 368 insertions(+), 2 deletions(-) - create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl - -diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl -new file mode 100755 -index 000000000000..3f86b391af69 ---- /dev/null -+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl -@@ -0,0 +1,355 @@ -+#! /usr/bin/env perl -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+# -+# ==================================================================== -+# Written by Rohan McLure for the OpenSSL -+# project. -+# ==================================================================== -+# -+# p384 lower-level primitives for PPC64 using vector instructions. -+# -+ -+use strict; -+use warnings; -+ -+my $flavour = shift; -+my $output = ""; -+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} -+if (!$output) { -+ $output = "-"; -+} -+ -+my ($xlate, $dir); -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour $output"; -+*STDOUT=*OUT; -+ -+my $code = ""; -+ -+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); -+ -+my $vzero = "v32"; -+ -+sub startproc($) -+{ -+ my ($name) = @_; -+ -+ $code.=<<___; -+ .globl ${name} -+ .align 5 -+${name}: -+ -+___ -+} -+ -+sub endproc($) -+{ -+ my ($name) = @_; -+ -+ $code.=<<___; -+ blr -+ .size ${name},.-${name} -+ -+___ -+} -+ -+ -+sub push_vrs($$) -+{ -+ my ($min, $max) = @_; -+ -+ my $count = $max - $min + 1; -+ -+ $code.=<<___; -+ mr $savesp,$sp -+ stdu $sp,-16*`$count+1`($sp) -+ -+___ -+ for (my $i = $min; $i <= $max; $i++) { -+ my $mult = $max - $i + 1; -+ $code.=<<___; -+ stxv $i,-16*$mult($savesp) -+___ -+ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+sub pop_vrs($$) -+{ -+ my ($min, $max) = @_; -+ -+ $code.=<<___; -+ ld $savesp,0($sp) -+___ -+ for (my $i = $min; $i <= $max; $i++) { -+ my $mult = $max - $i + 1; -+ $code.=<<___; -+ lxv $i,-16*$mult($savesp) -+___ -+ } -+ -+ $code.=<<___; -+ mr $sp,$savesp -+ -+___ -+} -+ -+sub load_vrs($$) -+{ -+ my ($pointer, $reg_list) = @_; -+ -+ for (my $i = 0; $i <= 6; $i++) { -+ my $offset = $i * 8; -+ $code.=<<___; -+ lxsd $reg_list->[$i],$offset($pointer) -+___ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+sub store_vrs($$) -+{ -+ my ($pointer, $reg_list) = @_; -+ -+ for (my $i = 0; $i <= 12; $i++) { -+ my $offset = $i * 16; -+ $code.=<<___; -+ stxv $reg_list->[$i],$offset($pointer) -+___ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+$code.=<<___; -+.machine "any" -+.text -+ -+___ -+ -+{ -+ # mul/square common -+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43"); -+ my ($zero, $one) = ("r8", "r9"); -+ my $out = "v51"; -+ -+ { -+ # -+ # p384_felem_mul -+ # -+ -+ my ($in1p, $in2p) = ("r4", "r5"); -+ my @in1 = map("v$_",(44..50)); -+ my @in2 = map("v$_",(35..41)); -+ -+ startproc("p384_felem_mul"); -+ -+ push_vrs(52, 63); -+ -+ $code.=<<___; -+ vspltisw $vzero,0 -+ -+___ -+ -+ load_vrs($in1p, \@in1); -+ load_vrs($in2p, \@in2); -+ -+ $code.=<<___; -+ vmsumudm $out,$in1[0],$in2[0],$vzero -+ stxv $out,0($outp) -+ -+ xxpermdi $t1,$in1[0],$in1[1],0b00 -+ xxpermdi $t2,$in2[1],$in2[0],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,16($outp) -+ -+ xxpermdi $t2,$in2[2],$in2[1],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in1[2],$in2[0],$out -+ stxv $out,32($outp) -+ -+ xxpermdi $t2,$in2[1],$in2[0],0b00 -+ xxpermdi $t3,$in1[2],$in1[3],0b00 -+ xxpermdi $t4,$in2[3],$in2[2],0b00 -+ vmsumudm $out,$t1,$t4,$vzero -+ vmsumudm $out,$t3,$t2,$out -+ stxv $out,48($outp) -+ -+ xxpermdi $t2,$in2[4],$in2[3],0b00 -+ xxpermdi $t4,$in2[2],$in2[1],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ vmsumudm $out,$in1[4],$in2[0],$out -+ stxv $out,64($outp) -+ -+ xxpermdi $t2,$in2[5],$in2[4],0b00 -+ xxpermdi $t4,$in2[3],$in2[2],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t4,$in2[1],$in2[0],0b00 -+ xxpermdi $t1,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t4,$out -+ stxv $out,80($outp) -+ -+ xxpermdi $t1,$in1[0],$in1[1],0b00 -+ xxpermdi $t2,$in2[6],$in2[5],0b00 -+ xxpermdi $t4,$in2[4],$in2[3],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t2,$in2[2],$in2[1],0b00 -+ xxpermdi $t1,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t2,$out -+ vmsumudm $out,$in1[6],$in2[0],$out -+ stxv $out,96($outp) -+ -+ xxpermdi $t1,$in1[1],$in1[2],0b00 -+ xxpermdi $t2,$in2[6],$in2[5],0b00 -+ xxpermdi $t3,$in1[3],$in1[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t3,$in2[2],$in2[1],0b00 -+ xxpermdi $t1,$in1[5],$in1[6],0b00 -+ vmsumudm $out,$t1,$t3,$out -+ stxv $out,112($outp) -+ -+ xxpermdi $t1,$in1[2],$in1[3],0b00 -+ xxpermdi $t3,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ vmsumudm $out,$in1[6],$in2[2],$out -+ stxv $out,128($outp) -+ -+ xxpermdi $t1,$in1[3],$in1[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ xxpermdi $t1,$in1[5],$in1[6],0b00 -+ vmsumudm $out,$t1,$t4,$out -+ stxv $out,144($outp) -+ -+ vmsumudm $out,$t3,$t2,$vzero -+ vmsumudm $out,$in1[6],$in2[4],$out -+ stxv $out,160($outp) -+ -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,176($outp) -+ -+ vmsumudm $out,$in1[6],$in2[6],$vzero -+ stxv $out,192($outp) -+___ -+ -+ endproc("p384_felem_mul"); -+ } -+ -+ { -+ # -+ # p384_felem_square -+ # -+ -+ my ($inp) = ("r4"); -+ my @in = map("v$_",(44..50)); -+ my @inx2 = map("v$_",(35..41)); -+ -+ startproc("p384_felem_square"); -+ -+ push_vrs(52, 63); -+ -+ $code.=<<___; -+ vspltisw $vzero,0 -+ -+___ -+ -+ load_vrs($inp, \@in); -+ -+ $code.=<<___; -+ li $zero,0 -+ li $one,1 -+ mtvsrdd $t1,$one,$zero -+___ -+ -+ for (my $i = 0; $i <= 6; $i++) { -+ $code.=<<___; -+ vsld $inx2[$i],$in[$i],$t1 -+___ -+ } -+ -+ $code.=<<___; -+ vmsumudm $out,$in[0],$in[0],$vzero -+ stxv $out,0($outp) -+ -+ vmsumudm $out,$in[0],$inx2[1],$vzero -+ stxv $out,16($outp) -+ -+ vmsumudm $out,$in[0],$inx2[2],$vzero -+ vmsumudm $out,$in[1],$in[1],$out -+ stxv $out,32($outp) -+ -+ xxpermdi $t1,$in[0],$in[1],0b00 -+ xxpermdi $t2,$inx2[3],$inx2[2],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,48($outp) -+ -+ xxpermdi $t4,$inx2[4],$inx2[3],0b00 -+ vmsumudm $out,$t1,$t4,$vzero -+ vmsumudm $out,$in[2],$in[2],$out -+ stxv $out,64($outp) -+ -+ xxpermdi $t2,$inx2[5],$inx2[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[2],$inx2[3],$out -+ stxv $out,80($outp) -+ -+ xxpermdi $t2,$inx2[6],$inx2[5],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[2],$inx2[4],$out -+ vmsumudm $out,$in[3],$in[3],$out -+ stxv $out,96($outp) -+ -+ xxpermdi $t3,$in[1],$in[2],0b00 -+ vmsumudm $out,$t3,$t2,$vzero -+ vmsumudm $out,$in[3],$inx2[4],$out -+ stxv $out,112($outp) -+ -+ xxpermdi $t1,$in[2],$in[3],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[4],$in[4],$out -+ stxv $out,128($outp) -+ -+ xxpermdi $t1,$in[3],$in[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,144($outp) -+ -+ vmsumudm $out,$in[4],$inx2[6],$vzero -+ vmsumudm $out,$in[5],$in[5],$out -+ stxv $out,160($outp) -+ -+ vmsumudm $out,$in[5],$inx2[6],$vzero -+ stxv $out,176($outp) -+ -+ vmsumudm $out,$in[6],$in[6],$vzero -+ stxv $out,192($outp) -+___ -+ -+ endproc("p384_felem_square"); -+ } -+} -+ -+$code =~ s/\`([^\`]*)\`/eval $1/gem; -+print $code; -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/ec/build.info b/crypto/ec/build.info -index 1fa60a1deddd..4077bead7bdb 100644 ---- a/crypto/ec/build.info -+++ b/crypto/ec/build.info -@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}] - $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s - $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM - IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] -- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s -- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM -+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s -+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM -+ INCLUDE[ecp_nistp384.o]=.. - INCLUDE[ecp_nistp521.o]=.. - ENDIF - -@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl - INCLUDE[ecp_nistz256-armv8.o]=.. - GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl - -+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl - GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl - - GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl -diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c -index a0559487ed4e..14f9530d07c6 100644 ---- a/crypto/ec/ecp_nistp384.c -+++ b/crypto/ec/ecp_nistp384.c -@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2); - - static void felem_select(void) - { -+# if defined(_ARCH_PPC64) -+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { -+ felem_square_p = p384_felem_square; -+ felem_mul_p = p384_felem_mul; -+ -+ return; -+ } -+# endif -+ - /* Default */ - felem_square_p = felem_square_ref; - felem_mul_p = felem_mul_ref; diff --git a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch deleted file mode 100644 index a2918d9..0000000 --- a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Tue, 15 Aug 2023 15:20:20 +1000 -Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1 - -Substitutions in the felem_reduce() method feature unecessary -parentheses, remove them. - -Signed-off-by: Rohan McLure - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/21749) ---- - crypto/ec/ecp_nistp384.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c -index 14f9530d07c6..ff68f9cc7ad0 100644 ---- a/crypto/ec/ecp_nistp384.c -+++ b/crypto/ec/ecp_nistp384.c -@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[7] += in[12] >> 8; - acc[6] += (in[12] & 0xff) << 48; - acc[6] -= in[12] >> 16; -- acc[5] -= ((in[12] & 0xffff) << 40); -+ acc[5] -= (in[12] & 0xffff) << 40; - acc[6] += in[12] >> 48; - acc[5] += (in[12] & 0xffffffffffff) << 8; - -@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[6] += in[11] >> 8; - acc[5] += (in[11] & 0xff) << 48; - acc[5] -= in[11] >> 16; -- acc[4] -= ((in[11] & 0xffff) << 40); -+ acc[4] -= (in[11] & 0xffff) << 40; - acc[5] += in[11] >> 48; - acc[4] += (in[11] & 0xffffffffffff) << 8; - -@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[5] += in[10] >> 8; - acc[4] += (in[10] & 0xff) << 48; - acc[4] -= in[10] >> 16; -- acc[3] -= ((in[10] & 0xffff) << 40); -+ acc[3] -= (in[10] & 0xffff) << 40; - acc[4] += in[10] >> 48; - acc[3] += (in[10] & 0xffffffffffff) << 8; - -@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[4] += in[9] >> 8; - acc[3] += (in[9] & 0xff) << 48; - acc[3] -= in[9] >> 16; -- acc[2] -= ((in[9] & 0xffff) << 40); -+ acc[2] -= (in[9] & 0xffff) << 40; - acc[3] += in[9] >> 48; - acc[2] += (in[9] & 0xffffffffffff) << 8; - -@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[3] += acc[8] >> 8; - acc[2] += (acc[8] & 0xff) << 48; - acc[2] -= acc[8] >> 16; -- acc[1] -= ((acc[8] & 0xffff) << 40); -+ acc[1] -= (acc[8] & 0xffff) << 40; - acc[2] += acc[8] >> 48; - acc[1] += (acc[8] & 0xffffffffffff) << 8; - -@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[2] += acc[7] >> 8; - acc[1] += (acc[7] & 0xff) << 48; - acc[1] -= acc[7] >> 16; -- acc[0] -= ((acc[7] & 0xffff) << 40); -+ acc[0] -= (acc[7] & 0xffff) << 40; - acc[1] += acc[7] >> 48; - acc[0] += (acc[7] & 0xffffffffffff) << 8; - diff --git a/openssl-load-legacy-provider.patch b/openssl-load-legacy-provider.patch index 217d8e1..f112006 100644 --- a/openssl-load-legacy-provider.patch +++ b/openssl-load-legacy-provider.patch @@ -13,11 +13,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd doc/man5/config.pod | 8 ++++++++ 2 files changed, 23 insertions(+), 22 deletions(-) -Index: openssl-3.1.4/apps/openssl.cnf +Index: openssl-3.2.3/apps/openssl.cnf =================================================================== ---- openssl-3.1.4.orig/apps/openssl.cnf -+++ openssl-3.1.4/apps/openssl.cnf -@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 @@ -32,7 +32,9 @@ Index: openssl-3.1.4/apps/openssl.cnf [openssl_init] providers = provider_sect # Load default TLS policy configuration - ssl_conf = ssl_module +@@ -58,23 +50,24 @@ ssl_conf = ssl_module + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems -# List of providers to load +# Uncomment the sections that start with ## below to enable the legacy provider. @@ -68,11 +70,11 @@ Index: openssl-3.1.4/apps/openssl.cnf +##activate = 1 [ ssl_module ] - -Index: openssl-3.1.4/doc/man5/config.pod + system_default = crypto_policy +Index: openssl-3.2.3/doc/man5/config.pod =================================================================== ---- openssl-3.1.4.orig/doc/man5/config.pod -+++ openssl-3.1.4/doc/man5/config.pod +--- openssl-3.2.3.orig/doc/man5/config.pod ++++ openssl-3.2.3/doc/man5/config.pod @@ -273,6 +273,14 @@ significant. All parameters in the section as well as sub-sections are made available to the provider. diff --git a/openssl-no-html-docs.patch b/openssl-no-html-docs.patch index efda996..41ca968 100644 --- a/openssl-no-html-docs.patch +++ b/openssl-no-html-docs.patch @@ -1,13 +1,13 @@ -Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl -@@ -611,7 +611,7 @@ install_sw: install_dev install_engines +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -633,7 +633,7 @@ install_sw: install_dev install_engines - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs # install_html_docs ## Install manpages and HTML documentation - uninstall_docs: uninstall_man_docs uninstall_html_docs + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch index 8788a95..82d5ab4 100644 --- a/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +++ b/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -10,10 +10,10 @@ Patch-id: 84 providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) -diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c -index 349c3dd657..11820d1e69 100644 ---- a/providers/implementations/kdfs/pbkdf2.c -+++ b/providers/implementations/kdfs/pbkdf2.c +Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c ++++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c @@ -35,6 +35,21 @@ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF #define KDF_PBKDF2_MIN_ITERATIONS 1000 @@ -32,11 +32,11 @@ index 349c3dd657..11820d1e69 100644 + * testing uses passwords as short as 8 bytes, and requiring longer passwords + * combined with an implicit indicator (i.e., returning an error) would cause + * the module to fail ACVP testing. */ -+#define KDF_PBKDF2_MIN_PASSWORD_LEN (20) ++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; -@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) +@@ -215,9 +230,15 @@ static int kdf_pbkdf2_set_ctx_params(voi ctx->lower_bound_checks = pkcs5 == 0; } @@ -53,7 +53,7 @@ index 349c3dd657..11820d1e69 100644 if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { if (ctx->lower_bound_checks != 0 -@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen, +@@ -327,6 +348,10 @@ static int pbkdf2_derive(const char *pas } if (lower_bound_checks) { @@ -64,6 +64,3 @@ index 349c3dd657..11820d1e69 100644 if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); return 0; --- -2.41.0 - diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch index 862be2c..b1536f7 100644 --- a/openssl-pkgconfig.patch +++ b/openssl-pkgconfig.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100 -+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100 -@@ -843,7 +843,7 @@ libcrypto.pc: +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -1453,7 +1453,7 @@ libcrypto.pc: echo 'Version: '$(VERSION); \ echo 'Libs: -L$${libdir} -lcrypto'; \ echo 'Libs.private: $(LIB_EX_LIBS)'; \ @@ -11,7 +11,7 @@ Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl libssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -860,7 +860,7 @@ libssl.pc: +@@ -1470,7 +1470,7 @@ libssl.pc: echo 'Version: '$(VERSION); \ echo 'Requires.private: libcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \ diff --git a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch deleted file mode 100644 index ecfecb5..0000000 --- a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 16 Aug 2023 16:52:47 +1000 -Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm - -Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as -VSX enabled systems make extensive use of renaming, and so writebacks in -felem_{mul,square}() can be reordered for best cache effects. - -Remove stack allocations. This in turn fixes unmatched push/pops in -felem_{mul,square}(). - -Signed-off-by: Rohan McLure - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/21749) ---- - crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 ----------------------------- - 1 file changed, 49 deletions(-) - -diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl -index 3f86b391af69..28f4168e5218 100755 ---- a/crypto/ec/asm/ecp_nistp384-ppc64.pl -+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl -@@ -62,51 +62,6 @@ ($) - ___ - } - -- --sub push_vrs($$) --{ -- my ($min, $max) = @_; -- -- my $count = $max - $min + 1; -- -- $code.=<<___; -- mr $savesp,$sp -- stdu $sp,-16*`$count+1`($sp) -- --___ -- for (my $i = $min; $i <= $max; $i++) { -- my $mult = $max - $i + 1; -- $code.=<<___; -- stxv $i,-16*$mult($savesp) --___ -- -- } -- -- $code.=<<___; -- --___ --} -- --sub pop_vrs($$) --{ -- my ($min, $max) = @_; -- -- $code.=<<___; -- ld $savesp,0($sp) --___ -- for (my $i = $min; $i <= $max; $i++) { -- my $mult = $max - $i + 1; -- $code.=<<___; -- lxv $i,-16*$mult($savesp) --___ -- } -- -- $code.=<<___; -- mr $sp,$savesp -- --___ --} -- - sub load_vrs($$) - { - my ($pointer, $reg_list) = @_; -@@ -162,8 +117,6 @@ ($$) - - startproc("p384_felem_mul"); - -- push_vrs(52, 63); -- - $code.=<<___; - vspltisw $vzero,0 - -@@ -268,8 +221,6 @@ ($$) - - startproc("p384_felem_square"); - -- push_vrs(52, 63); -- - $code.=<<___; - vspltisw $vzero,0 - diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch index 1efc39d..1312db2 100644 --- a/openssl-ppc64-config.patch +++ b/openssl-ppc64-config.patch @@ -1,8 +1,8 @@ -Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm +Index: openssl-3.2.3/util/perl/OpenSSL/config.pm =================================================================== ---- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm -+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm -@@ -525,14 +525,19 @@ EOF +--- openssl-3.2.3.orig/util/perl/OpenSSL/config.pm ++++ openssl-3.2.3/util/perl/OpenSSL/config.pm +@@ -592,14 +592,19 @@ EOF return { target => "linux-ppc64" } if $KERNEL_BITS eq '64'; my %config = (); diff --git a/openssl-skip-quic-pairwise.patch b/openssl-skip-quic-pairwise.patch new file mode 100644 index 0000000..088f284 --- /dev/null +++ b/openssl-skip-quic-pairwise.patch @@ -0,0 +1,85 @@ +From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 4 Apr 2024 11:50:58 +0200 +Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch + +Patch-name: 0115-skip-quic-pairwise.patch +Patch-id: 115 +Patch-status: | + # Amend tests according to Fedora/RHEL code +--- + test/quicapitest.c | 4 +++- + test/recipes/01-test_symbol_presence.t | 1 + + test/recipes/30-test_pairwise_fail.t | 13 +++++++++++-- + 3 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/test/quicapitest.c b/test/quicapitest.c +index 41cf0fc7a8..0fb7492700 100644 +--- a/test/quicapitest.c ++++ b/test/quicapitest.c +@@ -2139,7 +2139,9 @@ int setup_tests(void) + ADD_TEST(test_cipher_find); + ADD_TEST(test_version); + #if defined(DO_SSL_TRACE_TEST) +- ADD_TEST(test_ssl_trace); ++ if (is_fips == 0) { ++ ADD_TEST(test_ssl_trace); ++ } + #endif + ADD_TEST(test_quic_forbidden_apis_ctx); + ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t +index c837d48fb4..f06ef04b1a 100644 +--- a/test/recipes/30-test_pairwise_fail.t ++++ b/test/recipes/30-test_pairwise_fail.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file); ++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with); + use OpenSSL::Test::Utils; + + BEGIN { +@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + SKIP: { + skip "Skip RSA test because of no rsa in this build", 1 + if disabled("rsa"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "rsa"])), + "fips provider rsa keygen pairwise failure test"); ++ }); + } + + SKIP: { + skip "Skip EC test because of no ec in this build", 2 + if disabled("ec"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "ec"])), + "fips provider ec keygen pairwise failure test"); ++ }); + + skip "FIPS provider version is too old", 1 + if !$fips_exit; ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eckat"])), + "fips provider ec keygen kat failure test"); ++ }); + } + + SKIP: { + skip "Skip DSA tests because of no dsa in this build", 2 +- if disabled("dsa"); ++ if 1; #if disabled("dsa"); + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), + "fips provider dsa keygen pairwise failure test"); +-- +2.44.0 + diff --git a/openssl-skipped-tests-EC-curves.patch b/openssl-skipped-tests-EC-curves.patch index 7368c60..d500b5e 100644 --- a/openssl-skipped-tests-EC-curves.patch +++ b/openssl-skipped-tests-EC-curves.patch @@ -14,11 +14,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd test/recipes/65-test_cmp_vfy.t | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) -diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t -index 0638d626e7..c0efd77649 100644 ---- a/test/recipes/15-test_ec.t -+++ b/test/recipes/15-test_ec.t -@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub { +Index: openssl-3.2.3/test/recipes/15-test_ec.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/15-test_ec.t ++++ openssl-3.2.3/test/recipes/15-test_ec.t +@@ -94,7 +94,7 @@ SKIP: { subtest 'Check loading of fips and non-fips keys' => sub { plan skip_all => "FIPS is disabled" @@ -27,11 +27,11 @@ index 0638d626e7..c0efd77649 100644 plan tests => 2; -diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t -index 631603df7c..4cb2ffebbc 100644 ---- a/test/recipes/65-test_cmp_protect.t -+++ b/test/recipes/65-test_cmp_protect.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" +Index: openssl-3.2.3/test/recipes/65-test_cmp_protect.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/65-test_cmp_protect.t ++++ openssl-3.2.3/test/recipes/65-test_cmp_protect.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo plan skip_all => "This test is not supported in a shared library build on Windows" if $^O eq 'MSWin32' && !disabled("shared"); @@ -39,12 +39,12 @@ index 631603df7c..4cb2ffebbc 100644 +plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t -index f722800e27..26a01786bb 100644 ---- a/test/recipes/65-test_cmp_vfy.t -+++ b/test/recipes/65-test_cmp_vfy.t -@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" + data_file("prot_RSA.pem"), +Index: openssl-3.2.3/test/recipes/65-test_cmp_vfy.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/65-test_cmp_vfy.t ++++ openssl-3.2.3/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo plan skip_all => "This test is not supported in a no-ec build" if disabled("ec"); @@ -53,6 +53,3 @@ index f722800e27..26a01786bb 100644 my @basic_cmd = ("cmp_vfy_test", data_file("server.crt"), data_file("client.crt"), --- -2.41.0 - diff --git a/openssl-truststore.patch b/openssl-truststore.patch index e43f30e..53f0b82 100644 --- a/openssl-truststore.patch +++ b/openssl-truststore.patch @@ -1,10 +1,10 @@ Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) -Index: openssl-1.1.1-pre1/include/internal/cryptlib.h +Index: openssl-3.2.3/include/internal/common.h =================================================================== ---- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100 -+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100 -@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM); +--- openssl-3.2.3.orig/include/internal/common.h ++++ openssl-3.2.3/include/internal/common.h +@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR diff --git a/openssl.keyring b/openssl.keyring index d7ab2d7..84cbddc 100644 --- a/openssl.keyring +++ b/openssl.keyring @@ -1,305 +1,31 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 -Comment: Matt Caswell -Comment: Matt Caswell +Comment: BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF +Comment: OpenSSL -mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay -hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3 -iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi -2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa -N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz -UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8 -bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK -CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH -jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR -nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p -3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH -sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0 -hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h -dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD -BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+ -viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA -RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj -eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE -5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R -4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO -5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg -icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM -k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6 -2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex -F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ -P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC -AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v -Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb -SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x -dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL -HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2 -8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g== -=Z0q9 ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45 -Comment: Paul Dale - -mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM -TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia -iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0 -aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj -VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4 -eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj -wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w -f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ -PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe -fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7 -JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB -tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg -81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA -AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz -Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF -ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB -SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9 -jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP -qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz -hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q -KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/ -odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q -WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7 -4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb -uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ -P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE -TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5 -8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU -8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3 -rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O -Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU -meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt -C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS -iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa -llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB -iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE -zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc -gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q -ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny -BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj -Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6 -lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q -Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt -wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B -mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k -eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb -7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0= -=AbiA ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C -Comment: Tomáš Mráz -Comment: Tomáš Mráz -Comment: Tomáš Mráz - -mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr -55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH -F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi -UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag -pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K -/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv -MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8 -laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB -HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3 -zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06 -YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB -tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK -o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe -AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy -U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE -KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W -nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh -1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I -m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj -kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD -IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M -8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6 -z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41 -xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM -MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh -BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL -AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk -8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO -UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv -FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW -FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q -UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy -Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS -2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW -kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm -T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI -yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I -8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J -AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL -CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh -KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo -2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ -+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4 -yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M -cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A -ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly -Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y -q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt -Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj -hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI -w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 -VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27 -1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp -djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50 -IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK -bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn -gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w -NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh -D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H -a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB -HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc -nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv -Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy -Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+ -otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5 -SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358 -cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0 -8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ -vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV -yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A -HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg -K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs -aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh -uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE -cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk -RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F -9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/ -JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g -muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN -86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr -HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S -DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE -ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro -uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY -YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl -JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u -aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq -oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7 -FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM -ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL -vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+ -i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb -PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum -ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE -N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH -eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs -LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM -JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh -QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB -uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS -nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u -sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD -NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C -nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE -FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ -qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX -Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc -zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2 -TIdjvGbJ/k4qxw== -=Ctij ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 -Comment: OpenSSL security team -Comment: OpenSSL OMC -Comment: OpenSSL Security - -mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM -kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy -yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt -4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5 -QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q -2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9 -Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO -3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf -5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc -zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK -eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB -tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz -bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck -Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn -a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ -uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl -4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE -XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY -3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz -ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe -HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8 -c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV -nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ -jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt -VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu -c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY -lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA -RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT -MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO -VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ -cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX -NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG -mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K -ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX -q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s -1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o -gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl -blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE -EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w -2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU -nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1 -JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId -gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS -4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks -vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI -8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV -s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf -d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu -PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK -8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu -y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt -QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ -2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi -zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21 -3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3 -LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9 -yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A -+SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv -kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh -GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw -OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs -RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS -rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4 -mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p -nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD -30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF -KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h -VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT -hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY -MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6 -lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv -Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8 -NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK -4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+ -7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK -ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO -iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs -HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO -Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7 -KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL -9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7 -zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji -/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz -sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/ -G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v -E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI -aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA== -=Q+Oa +xsFNBGYT46cBEADnGgpkGwVTO5hu+sqoC3UWXM1nxr3v+tLveHQQlMA/MLDwK+TS +1sMFSsOEE1ehAlhaEVCaiHSh+8PSqs8bvxrkbC8FXj6UkHvdZOoBgoDqEVUXawen +UmW/3OEQtC/815ByacwHsbgabTY+bXQBAvKnDsKMIg04YlE1UVLnO6Rf0v/AvnlK +400c0J/KOPOXP2+e5dYMxRN/8CMFA+Jo8m1N2/gDKb3y1Ga6Ug9Qg/7VmL+zp/9A ++JnVQFhVQgpt2hVGKcKteJvDJODRAmBG371E+KV+lnh0jvALUxGiC+h/XrHmm8Em +7hQM7LLoVKGDPxYYUQKA6U6+//Q3J7JgrstLTxAZ6Xz3516o8gM4EeNXo/rXNqNw +Ng4zKeYAU0klk0hDIf7JHluT/Xxy9ezgRK6V3RJEvvjA1RjpsTVe7uDw5GPEoRO/ +xXtcLghhPixbL6y1FOspZqx3BzroX6Ic4V03Ub61YL6Zx3Q3tTcaj+4QFGXVA3SN +WL6is2XBdvZAiOgO/7lbRXGq/vFtvynYPLEx6LbZdKtdfADUCgD7If4gvif5yaL2 +isSfD3UmoXPdDDLGdga5/dhmg2658AigHw6t0fPWnxPx4EUc1tL2bb+dEG+soRoj +s4QHHoAhEeVEKdeFfu7lE3i0omS/mp63IFUFI7AybnHYiZ2ujyc5sBBsnwARAQAB +zR1PcGVuU1NMIDxvcGVuc3NsQG9wZW5zc2wub3JnPsLBlAQTAQoAPhYhBLpUc6Kw +WHsH+yfPLSFglN/Qy4HvBQJmE+OnAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJECFglN/Qy4HvXIcP/jCgVgZ7wMwMaDqbwBJOVKQ7sVzNvjy1xMr+ +XkXn1FHme1MlRl4Uw9Wzeh8TUckzx59+CAqe/pRRYhR9kL0S8WUhoa4VK61c47WS +0wFWzOOuQ4JQO9v9zP6hsKubnQdA9ggq3rvkFrRDIV0DPU6iFxXs2/kYmuqHxIkO +GgLx+aCWPx0XNAdJyov46EbQnIjJOdialeC2dIEdIU0Vk5N0jWYv6MKweAmXRVLM +Jusz3yfNZ0FmydSo90aNQcQz4fp3vgF8qP7Z5BmMOSWOnXJawJd8+ic0RXRWdsMS +oxyAEKH/98IUPZII8N8c5u8pAJ52m7LQRm8CKk4GzylStaV+Pe6PuNTVkx1sIE62 +Sv0RFbd2yJ5Wou5Z/1lRZvzjF5R3G+dobKZLym2HwNkJtFROODFqiPkcKYCSSd4c +sqlOVh2X6/8VlJZ9Q4r7pAm/ulPnf/PSEo8l7kr/JS7Q09nlwNaa5l9nwvrt2z+u ++5dNZt5syyVgpNd4mPZMFb9TXqoFrhrZfLGZ2I3GQ7tLX2boHhBXNl32a1sb2Qsv +9fbz++sFbYrfDhsjH5eEwBjW7o4Kkd/cTMJGufLczy3Cb+RyrjyBrSwfMQf0xHkp +QKidfWOKv9j+yeEhGVCHaIPilYNVeZFRHzL1H9oIkda2BZamj7iYveVnnDBjgpN7 +k6YNfbUM +=Fi54 -----END PGP PUBLIC KEY BLOCK----- diff --git a/reproducible.patch b/reproducible.patch deleted file mode 100644 index 6c40942..0000000 --- a/reproducible.patch +++ /dev/null @@ -1,929 +0,0 @@ -commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf -Author: trigpolynom -Date: Tue Oct 17 22:44:45 2023 -0400 - - aes-gcm-avx512.pl: fix non-reproducibility issue - - Replace the random suffix with a counter, to make the - build reproducible. - - Fixes #20954 - - Reviewed-by: Richard Levitte - Reviewed-by: Matthias St. Pierre - Reviewed-by: Tom Cosgrove - Reviewed-by: Hugo Landau - (Merged from https://github.com/openssl/openssl/pull/22415) - -diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl -index afd2af941a..9f9124373b 100644 ---- a/crypto/modes/asm/aes-gcm-avx512.pl -+++ b/crypto/modes/asm/aes-gcm-avx512.pl -@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE); - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11); - -+# ; Counter used for assembly label generation -+my $label_count = 0; -+ - # ; This implementation follows the convention: for non-leaf functions (they - # ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from - # ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This -@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a - # ;;; Helper functions - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - --# ; Generates "random" local labels --sub random_string() { -- my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); -- my $length = 15; -- my $str; -- map { $str .= $chars[rand(33)] } 1 .. $length; -- return $str; --} -- - sub BYTE { - my ($reg) = @_; - if ($reg =~ /%r[abcd]x/i) { -@@ -417,7 +411,7 @@ ___ - sub EPILOG { - my ($hkeys_storage_on_stack, $payload_len) = @_; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) { - -@@ -425,13 +419,13 @@ sub EPILOG { - # ; were stored in the local frame storage - $code .= <<___; - cmpq \$`16*16`,$payload_len -- jbe .Lskip_hkeys_cleanup_${rndsuffix} -+ jbe .Lskip_hkeys_cleanup_${label_suffix} - vpxor %xmm0,%xmm0,%xmm0 - ___ - for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) { - $code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n"; - } -- $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n"; -+ $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n"; - } - - if ($CLEAR_SCRATCH_REGISTERS) { -@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack { - && $HKEYS_RANGE ne "first32" - && $HKEYS_RANGE ne "last32"); - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - test $HKEYS_READY,$HKEYS_READY -- jnz .L_skip_hkeys_precomputation_${rndsuffix} -+ jnz .L_skip_hkeys_precomputation_${label_suffix} - ___ - - if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") { -@@ -615,7 +609,7 @@ ___ - } - } - -- $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n"; -+ $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n"; - } - - # ;; ============================================================================= -@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH { - - my $SHFMSK = $ZT13; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - mov $A_IN,$T1 # ; T1 = AAD - mov $A_LEN,$T2 # ; T2 = aadLen - or $T2,$T2 -- jz .L_CALC_AAD_done_${rndsuffix} -+ jz .L_CALC_AAD_done_${label_suffix} - - xor $HKEYS_READY,$HKEYS_READY - vmovdqa64 SHUF_MASK(%rip),$SHFMSK - --.L_get_AAD_loop48x16_${rndsuffix}: -+.L_get_AAD_loop48x16_${label_suffix}: - cmp \$`(48*16)`,$T2 -- jl .L_exit_AAD_loop48x16_${rndsuffix} -+ jl .L_exit_AAD_loop48x16_${label_suffix} - ___ - - $code .= <<___; -@@ -1499,15 +1493,15 @@ ___ - - $code .= <<___; - sub \$`(48*16)`,$T2 -- je .L_CALC_AAD_done_${rndsuffix} -+ je .L_CALC_AAD_done_${label_suffix} - - add \$`(48*16)`,$T1 -- jmp .L_get_AAD_loop48x16_${rndsuffix} -+ jmp .L_get_AAD_loop48x16_${label_suffix} - --.L_exit_AAD_loop48x16_${rndsuffix}: -+.L_exit_AAD_loop48x16_${label_suffix}: - # ; Less than 48x16 bytes remaining - cmp \$`(32*16)`,$T2 -- jl .L_less_than_32x16_${rndsuffix} -+ jl .L_less_than_32x16_${label_suffix} - ___ - - $code .= <<___; -@@ -1556,14 +1550,14 @@ ___ - - $code .= <<___; - sub \$`(32*16)`,$T2 -- je .L_CALC_AAD_done_${rndsuffix} -+ je .L_CALC_AAD_done_${label_suffix} - - add \$`(32*16)`,$T1 -- jmp .L_less_than_16x16_${rndsuffix} -+ jmp .L_less_than_16x16_${label_suffix} - --.L_less_than_32x16_${rndsuffix}: -+.L_less_than_32x16_${label_suffix}: - cmp \$`(16*16)`,$T2 -- jl .L_less_than_16x16_${rndsuffix} -+ jl .L_less_than_16x16_${label_suffix} - # ; Get next 16 blocks - vmovdqu64 `64*0`($T1),$ZT1 - vmovdqu64 `64*1`($T1),$ZT2 -@@ -1588,11 +1582,11 @@ ___ - - $code .= <<___; - sub \$`(16*16)`,$T2 -- je .L_CALC_AAD_done_${rndsuffix} -+ je .L_CALC_AAD_done_${label_suffix} - - add \$`(16*16)`,$T1 - # ; Less than 16x16 bytes remaining --.L_less_than_16x16_${rndsuffix}: -+.L_less_than_16x16_${label_suffix}: - # ;; prep mask source address - lea byte64_len_to_mask_table(%rip),$T3 - lea ($T3,$T2,8),$T3 -@@ -1601,28 +1595,28 @@ ___ - add \$15,@{[DWORD($T2)]} - shr \$4,@{[DWORD($T2)]} - cmp \$2,@{[DWORD($T2)]} -- jb .L_AAD_blocks_1_${rndsuffix} -- je .L_AAD_blocks_2_${rndsuffix} -+ jb .L_AAD_blocks_1_${label_suffix} -+ je .L_AAD_blocks_2_${label_suffix} - cmp \$4,@{[DWORD($T2)]} -- jb .L_AAD_blocks_3_${rndsuffix} -- je .L_AAD_blocks_4_${rndsuffix} -+ jb .L_AAD_blocks_3_${label_suffix} -+ je .L_AAD_blocks_4_${label_suffix} - cmp \$6,@{[DWORD($T2)]} -- jb .L_AAD_blocks_5_${rndsuffix} -- je .L_AAD_blocks_6_${rndsuffix} -+ jb .L_AAD_blocks_5_${label_suffix} -+ je .L_AAD_blocks_6_${label_suffix} - cmp \$8,@{[DWORD($T2)]} -- jb .L_AAD_blocks_7_${rndsuffix} -- je .L_AAD_blocks_8_${rndsuffix} -+ jb .L_AAD_blocks_7_${label_suffix} -+ je .L_AAD_blocks_8_${label_suffix} - cmp \$10,@{[DWORD($T2)]} -- jb .L_AAD_blocks_9_${rndsuffix} -- je .L_AAD_blocks_10_${rndsuffix} -+ jb .L_AAD_blocks_9_${label_suffix} -+ je .L_AAD_blocks_10_${label_suffix} - cmp \$12,@{[DWORD($T2)]} -- jb .L_AAD_blocks_11_${rndsuffix} -- je .L_AAD_blocks_12_${rndsuffix} -+ jb .L_AAD_blocks_11_${label_suffix} -+ je .L_AAD_blocks_12_${label_suffix} - cmp \$14,@{[DWORD($T2)]} -- jb .L_AAD_blocks_13_${rndsuffix} -- je .L_AAD_blocks_14_${rndsuffix} -+ jb .L_AAD_blocks_13_${label_suffix} -+ je .L_AAD_blocks_14_${label_suffix} - cmp \$15,@{[DWORD($T2)]} -- je .L_AAD_blocks_15_${rndsuffix} -+ je .L_AAD_blocks_15_${label_suffix} - ___ - - # ;; fall through for 16 blocks -@@ -1635,7 +1629,7 @@ ___ - # ;; - jump to reduction code - - for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) { -- $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n"; -+ $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n"; - if ($aad_blocks > 12) { - $code .= "sub \$`12*16*8`, $T3\n"; - } elsif ($aad_blocks > 8) { -@@ -1656,11 +1650,11 @@ ___ - if ($aad_blocks > 1) { - - # ;; fall through to CALC_AAD_done in 1 block case -- $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n"; -+ $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n"; - } - - } -- $code .= ".L_CALC_AAD_done_${rndsuffix}:\n"; -+ $code .= ".L_CALC_AAD_done_${label_suffix}:\n"; - - # ;; result in AAD_HASH - } -@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK { - my $IA1 = $GPTMP2; - my $IA2 = $GPTMP0; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero - mov ($PBLOCK_LEN),$LENGTH - or $LENGTH,$LENGTH -- je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks -+ je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks - ___ - - &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG); -@@ -1755,9 +1749,9 @@ ___ - } - $code .= <<___; - sub \$16,$IA1 -- jge .L_no_extra_mask_${rndsuffix} -+ jge .L_no_extra_mask_${label_suffix} - sub $IA1,$IA0 --.L_no_extra_mask_${rndsuffix}: -+.L_no_extra_mask_${label_suffix}: - # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1 - # ;; - mask out bottom $LENGTH bytes of $XTMP1 - # ;; sizeof(SHIFT_MASK) == 16 bytes -@@ -1781,7 +1775,7 @@ ___ - } - $code .= <<___; - cmp \$0,$IA1 -- jl .L_partial_incomplete_${rndsuffix} -+ jl .L_partial_incomplete_${label_suffix} - ___ - - # ;; GHASH computation for the last <16 Byte block -@@ -1793,9 +1787,9 @@ ___ - mov $LENGTH,$IA0 - mov \$16,$LENGTH - sub $IA0,$LENGTH -- jmp .L_enc_dec_done_${rndsuffix} -+ jmp .L_enc_dec_done_${label_suffix} - --.L_partial_incomplete_${rndsuffix}: -+.L_partial_incomplete_${label_suffix}: - ___ - if ($win64) { - $code .= <<___; -@@ -1808,7 +1802,7 @@ ___ - $code .= <<___; - mov $PLAIN_CIPH_LEN,$LENGTH - --.L_enc_dec_done_${rndsuffix}: -+.L_enc_dec_done_${label_suffix}: - # ;; output encrypted Bytes - - lea byte_len_to_mask_table(%rip),$IA0 -@@ -1826,7 +1820,7 @@ ___ - $code .= <<___; - mov $CIPH_PLAIN_OUT,$IA0 - vmovdqu8 $XTMP1,($IA0){$MASKREG} --.L_partial_block_done_${rndsuffix}: -+.L_partial_block_done_${label_suffix}: - ___ - } - -@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { - my $GM = $_[23]; # [in] ZMM with mid prodcut part - my $GL = $_[24]; # [in] ZMM with lo product part - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;;; - Hash all but the last partial block of data -@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { - # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16. - # ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256. - cmp \$16,$LENGTH -- jl .L_small_initial_partial_block_${rndsuffix} -+ jl .L_small_initial_partial_block_${label_suffix} - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;;; Handle a full length final block - encrypt and hash all blocks -@@ -2056,11 +2050,11 @@ ___ - &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, - $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL); - } -- $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n"; -+ $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n"; - } - - $code .= <<___; --.L_small_initial_partial_block_${rndsuffix}: -+.L_small_initial_partial_block_${label_suffix}: - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;;; Handle ghash for a <16B final block -@@ -2125,7 +2119,7 @@ ___ - # ;; a partial block of data, so xor that into the hash. - vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT - # ;; The result is in $HASH_IN_OUT -- jmp .L_after_reduction_${rndsuffix} -+ jmp .L_after_reduction_${label_suffix} - ___ - } - -@@ -2133,7 +2127,7 @@ ___ - # ;;; After GHASH reduction - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -- $code .= ".L_small_initial_compute_done_${rndsuffix}:\n"; -+ $code .= ".L_small_initial_compute_done_${label_suffix}:\n"; - - # ;; If using init/update/finalize, we need to xor any partial block data - # ;; into the hash. -@@ -2144,13 +2138,13 @@ ___ - $code .= <<___; - # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero - or $LENGTH,$LENGTH -- je .L_after_reduction_${rndsuffix} -+ je .L_after_reduction_${label_suffix} - ___ - } - $code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n"; - } - -- $code .= ".L_after_reduction_${rndsuffix}:\n"; -+ $code .= ".L_after_reduction_${label_suffix}:\n"; - - # ;; Final hash is now in HASH_IN_OUT - } -@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N { - die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n" - if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - my $GH1H = $HASH_IN_OUT; - -@@ -2326,16 +2320,16 @@ ___ - - $code .= <<___; - cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]} -- jae .L_16_blocks_overflow_${rndsuffix} -+ jae .L_16_blocks_overflow_${label_suffix} - ___ - - &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( - $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE, - $B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4); - $code .= <<___; -- jmp .L_16_blocks_ok_${rndsuffix} -+ jmp .L_16_blocks_ok_${label_suffix} - --.L_16_blocks_overflow_${rndsuffix}: -+.L_16_blocks_overflow_${label_suffix}: - vpshufb $SHFMSK,$CTR_BE,$CTR_BE - vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 - ___ -@@ -2355,7 +2349,7 @@ ___ - $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, - $B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); - $code .= <<___; --.L_16_blocks_ok_${rndsuffix}: -+.L_16_blocks_ok_${label_suffix}: - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;; - pre-load constants -@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST { - my $MASKREG = $_[44]; # [clobbered] mask register - my $PBLOCK_LEN = $_[45]; # [in] partial block length - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]} - add \$15,@{[DWORD($IA0)]} - shr \$4,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_0_${rndsuffix} -+ je .L_last_num_blocks_is_0_${label_suffix} - - cmp \$8,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_8_${rndsuffix} -- jb .L_last_num_blocks_is_7_1_${rndsuffix} -+ je .L_last_num_blocks_is_8_${label_suffix} -+ jb .L_last_num_blocks_is_7_1_${label_suffix} - - - cmp \$12,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_12_${rndsuffix} -- jb .L_last_num_blocks_is_11_9_${rndsuffix} -+ je .L_last_num_blocks_is_12_${label_suffix} -+ jb .L_last_num_blocks_is_11_9_${label_suffix} - - # ;; 16, 15, 14 or 13 - cmp \$15,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_15_${rndsuffix} -- ja .L_last_num_blocks_is_16_${rndsuffix} -+ je .L_last_num_blocks_is_15_${label_suffix} -+ ja .L_last_num_blocks_is_16_${label_suffix} - cmp \$14,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_14_${rndsuffix} -- jmp .L_last_num_blocks_is_13_${rndsuffix} -+ je .L_last_num_blocks_is_14_${label_suffix} -+ jmp .L_last_num_blocks_is_13_${label_suffix} - --.L_last_num_blocks_is_11_9_${rndsuffix}: -+.L_last_num_blocks_is_11_9_${label_suffix}: - # ;; 11, 10 or 9 - cmp \$10,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_10_${rndsuffix} -- ja .L_last_num_blocks_is_11_${rndsuffix} -- jmp .L_last_num_blocks_is_9_${rndsuffix} -+ je .L_last_num_blocks_is_10_${label_suffix} -+ ja .L_last_num_blocks_is_11_${label_suffix} -+ jmp .L_last_num_blocks_is_9_${label_suffix} - --.L_last_num_blocks_is_7_1_${rndsuffix}: -+.L_last_num_blocks_is_7_1_${label_suffix}: - cmp \$4,@{[DWORD($IA0)]} -- je .L_last_num_blocks_is_4_${rndsuffix} -- jb .L_last_num_blocks_is_3_1_${rndsuffix} -+ je .L_last_num_blocks_is_4_${label_suffix} -+ jb .L_last_num_blocks_is_3_1_${label_suffix} - # ;; 7, 6 or 5 - cmp \$6,@{[DWORD($IA0)]} -- ja .L_last_num_blocks_is_7_${rndsuffix} -- je .L_last_num_blocks_is_6_${rndsuffix} -- jmp .L_last_num_blocks_is_5_${rndsuffix} -+ ja .L_last_num_blocks_is_7_${label_suffix} -+ je .L_last_num_blocks_is_6_${label_suffix} -+ jmp .L_last_num_blocks_is_5_${label_suffix} - --.L_last_num_blocks_is_3_1_${rndsuffix}: -+.L_last_num_blocks_is_3_1_${label_suffix}: - # ;; 3, 2 or 1 - cmp \$2,@{[DWORD($IA0)]} -- ja .L_last_num_blocks_is_3_${rndsuffix} -- je .L_last_num_blocks_is_2_${rndsuffix} -+ ja .L_last_num_blocks_is_3_${label_suffix} -+ je .L_last_num_blocks_is_2_${label_suffix} - ___ - - # ;; fall through for `jmp .L_last_num_blocks_is_1` -@@ -2859,7 +2853,7 @@ ___ - # ;; Use rep to generate different block size variants - # ;; - one block size has to be the first one - for my $num_blocks (1 .. 16) { -- $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; -+ $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n"; - &GHASH_16_ENCRYPT_N_GHASH_N( - $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, - $LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET, -@@ -2872,10 +2866,10 @@ ___ - $ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG, - $num_blocks, $PBLOCK_LEN); - -- $code .= "jmp .L_last_blocks_done_${rndsuffix}\n"; -+ $code .= "jmp .L_last_blocks_done_${label_suffix}\n"; - } - -- $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n"; -+ $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n"; - - # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction - # ;; - convert mid into end_reduce -@@ -2891,7 +2885,7 @@ ___ - $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01, - $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09); - -- $code .= ".L_last_blocks_done_${rndsuffix}:\n"; -+ $code .= ".L_last_blocks_done_${label_suffix}:\n"; - } - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { - my $GHDAT1 = $ZT21; - my $GHDAT2 = $ZT22; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - # ;; prepare counter blocks - - $code .= <<___; - cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} -- jae .L_16_blocks_overflow_${rndsuffix} -+ jae .L_16_blocks_overflow_${label_suffix} - vpaddd $ADDBE_1234,$CTR_BE,$B00_03 - vpaddd $ADDBE_4x4,$B00_03,$B04_07 - vpaddd $ADDBE_4x4,$B04_07,$B08_11 - vpaddd $ADDBE_4x4,$B08_11,$B12_15 -- jmp .L_16_blocks_ok_${rndsuffix} --.L_16_blocks_overflow_${rndsuffix}: -+ jmp .L_16_blocks_ok_${label_suffix} -+.L_16_blocks_overflow_${label_suffix}: - vpshufb $SHFMSK,$CTR_BE,$CTR_BE - vmovdqa64 ddq_add_4444(%rip),$B12_15 - vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 -@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { - vpshufb $SHFMSK,$B04_07,$B04_07 - vpshufb $SHFMSK,$B08_11,$B08_11 - vpshufb $SHFMSK,$B12_15,$B12_15 --.L_16_blocks_ok_${rndsuffix}: -+.L_16_blocks_ok_${label_suffix}: - ___ - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK { - my $XMM0 = $_[1]; # ; [in/out] - my $GPR1 = $_[2]; # ; [clobbered] - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - # ; load number of rounds from AES_KEY structure (offset in bytes is - # ; size of the |rd_key| buffer) - mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]} - cmp \$9,@{[DWORD($GPR1)]} -- je .Laes_128_${rndsuffix} -+ je .Laes_128_${label_suffix} - cmp \$11,@{[DWORD($GPR1)]} -- je .Laes_192_${rndsuffix} -+ je .Laes_192_${label_suffix} - cmp \$13,@{[DWORD($GPR1)]} -- je .Laes_256_${rndsuffix} -- jmp .Lexit_aes_${rndsuffix} -+ je .Laes_256_${label_suffix} -+ jmp .Lexit_aes_${label_suffix} - ___ - for my $keylen (sort keys %aes_rounds) { - my $nr = $aes_rounds{$keylen}; - $code .= <<___; - .align 32 --.Laes_${keylen}_${rndsuffix}: -+.Laes_${keylen}_${label_suffix}: - ___ - $code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n"; - for (my $i = 1; $i <= $nr; $i++) { -@@ -3364,10 +3358,10 @@ ___ - } - $code .= <<___; - vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0 -- jmp .Lexit_aes_${rndsuffix} -+ jmp .Lexit_aes_${label_suffix} - ___ - } -- $code .= ".Lexit_aes_${rndsuffix}:\n\n"; -+ $code .= ".Lexit_aes_${label_suffix}:\n\n"; - } - - sub CALC_J0 { -@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL { - my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask - my $PBLOCK_LEN = $_[30]; # [in] partial block length - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - cmp \$8,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_8_${rndsuffix} -- jl .L_small_initial_num_blocks_is_7_1_${rndsuffix} -+ je .L_small_initial_num_blocks_is_8_${label_suffix} -+ jl .L_small_initial_num_blocks_is_7_1_${label_suffix} - - - cmp \$12,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_12_${rndsuffix} -- jl .L_small_initial_num_blocks_is_11_9_${rndsuffix} -+ je .L_small_initial_num_blocks_is_12_${label_suffix} -+ jl .L_small_initial_num_blocks_is_11_9_${label_suffix} - - # ;; 16, 15, 14 or 13 - cmp \$16,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_16_${rndsuffix} -+ je .L_small_initial_num_blocks_is_16_${label_suffix} - cmp \$15,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_15_${rndsuffix} -+ je .L_small_initial_num_blocks_is_15_${label_suffix} - cmp \$14,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_14_${rndsuffix} -- jmp .L_small_initial_num_blocks_is_13_${rndsuffix} -+ je .L_small_initial_num_blocks_is_14_${label_suffix} -+ jmp .L_small_initial_num_blocks_is_13_${label_suffix} - --.L_small_initial_num_blocks_is_11_9_${rndsuffix}: -+.L_small_initial_num_blocks_is_11_9_${label_suffix}: - # ;; 11, 10 or 9 - cmp \$11,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_11_${rndsuffix} -+ je .L_small_initial_num_blocks_is_11_${label_suffix} - cmp \$10,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_10_${rndsuffix} -- jmp .L_small_initial_num_blocks_is_9_${rndsuffix} -+ je .L_small_initial_num_blocks_is_10_${label_suffix} -+ jmp .L_small_initial_num_blocks_is_9_${label_suffix} - --.L_small_initial_num_blocks_is_7_1_${rndsuffix}: -+.L_small_initial_num_blocks_is_7_1_${label_suffix}: - cmp \$4,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_4_${rndsuffix} -- jl .L_small_initial_num_blocks_is_3_1_${rndsuffix} -+ je .L_small_initial_num_blocks_is_4_${label_suffix} -+ jl .L_small_initial_num_blocks_is_3_1_${label_suffix} - # ;; 7, 6 or 5 - cmp \$7,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_7_${rndsuffix} -+ je .L_small_initial_num_blocks_is_7_${label_suffix} - cmp \$6,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_6_${rndsuffix} -- jmp .L_small_initial_num_blocks_is_5_${rndsuffix} -+ je .L_small_initial_num_blocks_is_6_${label_suffix} -+ jmp .L_small_initial_num_blocks_is_5_${label_suffix} - --.L_small_initial_num_blocks_is_3_1_${rndsuffix}: -+.L_small_initial_num_blocks_is_3_1_${label_suffix}: - # ;; 3, 2 or 1 - cmp \$3,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_3_${rndsuffix} -+ je .L_small_initial_num_blocks_is_3_${label_suffix} - cmp \$2,$NUM_BLOCKS -- je .L_small_initial_num_blocks_is_2_${rndsuffix} -+ je .L_small_initial_num_blocks_is_2_${label_suffix} - - # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed - -@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL { - ___ - - for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) { -- $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; -+ $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n"; - &INITIAL_BLOCKS_PARTIAL( - $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET, - $num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1, -@@ -3625,11 +3619,11 @@ ___ - $ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN); - - if ($num_blocks != 16) { -- $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n"; -+ $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n"; - } - } - -- $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n"; -+ $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n"; - } - - # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC { - - my $MASKREG = "%k1"; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - # ;; reduction every 48 blocks, depth 32 blocks - # ;; @note 48 blocks is the maximum capacity of the stack frame -@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC { - } else { - $code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n"; - } -- $code .= "je .L_enc_dec_done_${rndsuffix}\n"; -+ $code .= "je .L_enc_dec_done_${label_suffix}\n"; - - # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in - # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc' -@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC { - # ;; There may be no more data if it was consumed in the partial block. - $code .= <<___; - sub $DATA_OFFSET,$LENGTH -- je .L_enc_dec_done_${rndsuffix} -+ je .L_enc_dec_done_${label_suffix} - ___ - - $code .= <<___; - cmp \$`(16 * 16)`,$LENGTH -- jbe .L_message_below_equal_16_blocks_${rndsuffix} -+ jbe .L_message_below_equal_16_blocks_${label_suffix} - - vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK - vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4 -@@ -3815,7 +3809,7 @@ ___ - - $code .= <<___; - cmp \$`(32 * 16)`,$LENGTH -- jb .L_message_below_32_blocks_${rndsuffix} -+ jb .L_message_below_32_blocks_${label_suffix} - ___ - - # ;; ==== AES-CTR - next 16 blocks -@@ -3836,13 +3830,13 @@ ___ - sub \$`(32 * 16)`,$LENGTH - - cmp \$`($big_loop_nblocks * 16)`,$LENGTH -- jb .L_no_more_big_nblocks_${rndsuffix} -+ jb .L_no_more_big_nblocks_${label_suffix} - ___ - - # ;; ==== - # ;; ==== AES-CTR + GHASH - 48 blocks loop - # ;; ==== -- $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n"; - - # ;; ==== AES-CTR + GHASH - 16 blocks, start - $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); -@@ -3893,15 +3887,15 @@ ___ - add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET - sub \$`($big_loop_nblocks * 16)`,$LENGTH - cmp \$`($big_loop_nblocks * 16)`,$LENGTH -- jae .L_encrypt_big_nblocks_${rndsuffix} -+ jae .L_encrypt_big_nblocks_${label_suffix} - --.L_no_more_big_nblocks_${rndsuffix}: -+.L_no_more_big_nblocks_${label_suffix}: - - cmp \$`(32 * 16)`,$LENGTH -- jae .L_encrypt_32_blocks_${rndsuffix} -+ jae .L_encrypt_32_blocks_${label_suffix} - - cmp \$`(16 * 16)`,$LENGTH -- jae .L_encrypt_16_blocks_${rndsuffix} -+ jae .L_encrypt_16_blocks_${label_suffix} - ___ - - # ;; ===================================================== -@@ -3909,7 +3903,7 @@ ___ - # ;; ==== GHASH 1 x 16 blocks - # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks - # ;; ==== then GHASH N blocks -- $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n"; - - # ;; calculate offset to the right hash key - $code .= <<___; -@@ -3937,7 +3931,7 @@ ___ - $IA0, $IA5, $MASKREG, $PBLOCK_LEN); - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; -- $code .= "jmp .L_ghash_done_${rndsuffix}\n"; -+ $code .= "jmp .L_ghash_done_${label_suffix}\n"; - - # ;; ===================================================== - # ;; ===================================================== -@@ -3946,7 +3940,7 @@ ___ - # ;; ==== GHASH 1 x 16 blocks (reduction) - # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks - # ;; ==== then GHASH N blocks -- $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_32_blocks_${label_suffix}:\n"; - - # ;; ==== AES-CTR + GHASH - 16 blocks, start - $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); -@@ -4007,7 +4001,7 @@ ___ - $IA0, $IA5, $MASKREG, $PBLOCK_LEN); - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; -- $code .= "jmp .L_ghash_done_${rndsuffix}\n"; -+ $code .= "jmp .L_ghash_done_${label_suffix}\n"; - - # ;; ===================================================== - # ;; ===================================================== -@@ -4015,7 +4009,7 @@ ___ - # ;; ==== GHASH 1 x 16 blocks - # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks - # ;; ==== then GHASH N blocks -- $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n"; -+ $code .= ".L_encrypt_16_blocks_${label_suffix}:\n"; - - # ;; ==== AES-CTR + GHASH - 16 blocks, start - $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); -@@ -4059,9 +4053,9 @@ ___ - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; - $code .= <<___; -- jmp .L_ghash_done_${rndsuffix} -+ jmp .L_ghash_done_${label_suffix} - --.L_message_below_32_blocks_${rndsuffix}: -+.L_message_below_32_blocks_${label_suffix}: - # ;; 32 > number of blocks > 16 - - sub \$`(16 * 16)`,$LENGTH -@@ -4094,9 +4088,9 @@ ___ - - $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; - $code .= <<___; -- jmp .L_ghash_done_${rndsuffix} -+ jmp .L_ghash_done_${label_suffix} - --.L_message_below_equal_16_blocks_${rndsuffix}: -+.L_message_below_equal_16_blocks_${label_suffix}: - # ;; Determine how many blocks to process - # ;; - process one additional block if there is a partial block - mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]} -@@ -4113,13 +4107,13 @@ ___ - - # ;; fall through to exit - -- $code .= ".L_ghash_done_${rndsuffix}:\n"; -+ $code .= ".L_ghash_done_${label_suffix}:\n"; - - # ;; save the last counter block - $code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n"; - $code .= <<___; - vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX) --.L_enc_dec_done_${rndsuffix}: -+.L_enc_dec_done_${label_suffix}: - ___ - } - -@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 { - my $B08_11 = $T7; - my $B12_15 = $T8; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - my $stack_offset = $BLK_OFFSET; - $code .= <<___; -@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 { - # ;; prepare counter blocks - - cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} -- jae .L_next_16_overflow_${rndsuffix} -+ jae .L_next_16_overflow_${label_suffix} - vpaddd $ADDBE_1234,$CTR,$B00_03 - vpaddd $ADDBE_4x4,$B00_03,$B04_07 - vpaddd $ADDBE_4x4,$B04_07,$B08_11 - vpaddd $ADDBE_4x4,$B08_11,$B12_15 -- jmp .L_next_16_ok_${rndsuffix} --.L_next_16_overflow_${rndsuffix}: -+ jmp .L_next_16_ok_${label_suffix} -+.L_next_16_overflow_${label_suffix}: - vpshufb $SHUF_MASK,$CTR,$CTR - vmovdqa64 ddq_add_4444(%rip),$B12_15 - vpaddd ddq_add_1234(%rip),$CTR,$B00_03 -@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 { - vpshufb $SHUF_MASK,$B04_07,$B04_07 - vpshufb $SHUF_MASK,$B08_11,$B08_11 - vpshufb $SHUF_MASK,$B12_15,$B12_15 --.L_next_16_ok_${rndsuffix}: -+.L_next_16_ok_${label_suffix}: - vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR - addb \$16,@{[BYTE($CTR_CHECK)]} - # ;; === load 16 blocks of data -@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE { - my $GCM128_CTX = $_[0]; - my $PBLOCK_LEN = $_[1]; - -- my $rndsuffix = &random_string(); -+ my $label_suffix = $label_count++; - - $code .= <<___; - vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2 -@@ -4276,14 +4270,14 @@ ___ - - # ;; Process the final partial block. - cmp \$0,$PBLOCK_LEN -- je .L_partial_done_${rndsuffix} -+ je .L_partial_done_${label_suffix} - ___ - - # ;GHASH computation for the last <16 Byte block - &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17"); - - $code .= <<___; --.L_partial_done_${rndsuffix}: -+.L_partial_done_${label_suffix}: - vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5 - vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C) - vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits -@@ -4297,7 +4291,7 @@ ___ - vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap - vpxor %xmm4,%xmm3,%xmm3 - --.L_return_T_${rndsuffix}: -+.L_return_T_${label_suffix}: - vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX) - ___ - }